Windows Analysis Report RpDMpvgd55

Overview

General Information

Sample Name: RpDMpvgd55 (renamed file extension from none to exe)
Analysis ID: 478945
MD5: 0e569851a5caffd0924437714db46abe
SHA1: 32fe45fbef9753d08978ad11a0001b29f032ba34
SHA256: 8fd4b32e8bc096e4f4c34ba302295caa4accd453edff3e4a153397710fbc4a94
Tags: exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Contains capabilities to detect virtual machines
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: RpDMpvgd55.exe ReversingLabs: Detection: 72%
Antivirus / Scanner detection for submitted sample
Source: RpDMpvgd55.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\start.exe Avira: detection malicious, Label: HEUR/AGEN.1101677
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\start.exe ReversingLabs: Detection: 72%
Machine Learning detection for sample
Source: RpDMpvgd55.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\start.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.start.exe.730000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 23.2.start.exe.520000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 1.2.RpDMpvgd55.exe.c30000.0.unpack Avira: Label: TR/Crypt.XDR.Gen
Source: 19.2.start.exe.500000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 13.2.start.exe.8c0000.0.unpack Avira: Label: TR/Crypt.XDR.Gen
Source: 9.2.start.exe.e50000.0.unpack Avira: Label: TR/Crypt.XDR.Gen
Source: 17.2.start.exe.b40000.0.unpack Avira: Label: TR/Crypt.XDR.Gen

Compliance:

barindex
Uses 32bit PE files
Source: RpDMpvgd55.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: RpDMpvgd55.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: start.exe, 0000000B.00000002.617396677.0000000003735000.00000004.00000001.sdmp, start.exe, 00000013.00000003.473129874.0000000003D75000.00000004.00000001.sdmp, start.exe, 00000017.00000003.490802427.0000000003F25000.00000004.00000001.sdmp, vbc.exe, 00000021.00000002.576492139.0000000000400000.00000040.00000001.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
Source: vbc.exe, 00000019.00000002.491710591.0000000002150000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.511848091.0000000002260000.00000004.00000001.sdmp String found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000019.00000002.491710591.0000000002150000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.511848091.0000000002260000.00000004.00000001.sdmp String found in binary or memory: ?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=ab104b93-3a7d-4cc3-b5fe-9fa9f0462c64&partnerId=retailstore2https://login.live.com/me.srfhttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000019.00000003.489814645.000000000214C000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.510766984.000000000225D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000019.00000003.489814645.000000000214C000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.510766984.000000000225D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000012.00000003.449956890.00000000020F5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000012.00000003.449956890.00000000020F5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000012.00000003.449693652.00000000020F4000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000012.00000003.449693652.00000000020F4000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000019.00000003.489646915.000000000214E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 00000019.00000003.489646915.000000000214E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 0000001C.00000003.510593008.000000000225E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: vbc.exe, 0000001C.00000003.510593008.000000000225E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.c
Source: start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: vbc.exe, 00000012.00000003.447596729.00000000020E1000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.487201383.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.509693008.0000000002241000.00000004.00000001.sdmp String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: RpDMpvgd55.exe, 00000001.00000002.370358724.0000000004DC8000.00000004.00000001.sdmp, start.exe, 00000009.00000002.439008892.0000000004C26000.00000004.00000001.sdmp, start.exe, 0000000B.00000002.608934819.0000000000732000.00000040.00000001.sdmp, start.exe, 0000000D.00000002.484936164.0000000004746000.00000004.00000001.sdmp, start.exe, 00000011.00000002.503262589.0000000004D28000.00000004.00000001.sdmp, start.exe, 00000013.00000002.608001079.0000000000502000.00000040.00000001.sdmp, start.exe, 00000017.00000002.608775895.0000000000522000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 00000012.00000003.446575309.00000000020F3000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/?
Source: vbc.exe, 0000001C.00000003.510593008.000000000225E000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508838804.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508578180.0000000002253000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508608382.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508723934.000000000225D000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: vbc.exe, 00000012.00000002.450712436.000000000019C000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.490898947.000000000019C000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.511307967.000000000019C000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 00000021.00000002.576492139.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: vbc.exe, 00000012.00000003.447412207.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.449461802.00000000020E1000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: vbc.exe, 0000001C.00000003.510593008.000000000225E000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508838804.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.511848091.0000000002260000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508723934.000000000225D000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: vbc.exe, 00000012.00000003.446879234.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: vbc.exe, 00000012.00000003.446910816.00000000020F4000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: vbc.exe, 00000012.00000003.446410926.00000000020F3000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php
Source: vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508838804.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508578180.0000000002253000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508608382.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508723934.000000000225D000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000001C.00000003.509662542.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.510766984.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.510593008.000000000225E000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508440923.0000000002253000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508838804.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508578180.0000000002253000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508608382.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508723934.000000000225D000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 0000001C.00000003.509662542.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.510766984.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.510593008.000000000225E000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508440923.0000000002253000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508838804.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508578180.0000000002253000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508608382.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508723934.000000000225D000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe, 00000012.00000003.447122027.00000000026D1000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: vbc.exe, 00000012.00000003.446478560.00000000020FB000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1id=77%2C18
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: vbc.exe, 00000012.00000003.446964985.00000000020E1000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486936386.0000000002131000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe, 00000012.00000003.446184342.00000000020FB000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: vbc.exe, 00000012.00000003.446910816.00000000020F4000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446214663.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446385375.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446277904.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446810835.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446355440.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446556696.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446779322.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446613111.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446248806.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446638409.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446434893.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.446719432.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.489646915.000000000214E000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486653458.000000000214D000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.489814645.000000000214C000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.488085814.000000000214D000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.487110877.000000000214D000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486793663.000000000214D000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486411159.0000000002143000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.509662542.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.510766984.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.510593008.000000000225E000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508440923.0000000002253000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508838804.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508608382.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508723934.000000000225D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 00000012.00000003.446016500.00000000020ED000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486194410.000000000213D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508869440.0000000002241000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: vbc.exe, 00000012.00000003.446854849.00000000020F3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.488085814.000000000214D000.00000004.00000001.sdmp, vbc.exe, 00000019.00000003.486588561.0000000002143000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.509662542.000000000225D000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000003.508578180.0000000002253000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 13.2.start.exe.4bc23e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.start.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4aff1c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.50a23e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4e795c9.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.5018179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4e795c9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4dc8179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.490f1c9.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4db23e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.520000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4d28179.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4def1c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4aff1c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4b895c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4d28179.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.start.exe.500000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.490f1c9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.50a23e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4c295c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4b38179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4bc23e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4b38179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4db23e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.49995c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4e523e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4def1c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.49995c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4b895c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.5018179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4936a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4746a10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4c26a10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.608775895.0000000000522000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.484936164.0000000004746000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.370358724.0000000004DC8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611636873.0000000002582000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.611953012.0000000002734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.608001079.0000000000502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.486549188.0000000004B38000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.503262589.0000000004D28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.608934819.0000000000732000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.441589720.0000000005018000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.439008892.0000000004C26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502748889.0000000004936000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.368874636.00000000049D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RpDMpvgd55.exe PID: 6900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 1724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 3940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6428, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 19.3.start.exe.3d75810.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 13.2.start.exe.4bc23e0.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.4bc23e0.4.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 11.2.start.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 11.2.start.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 17.2.start.exe.4aff1c9.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4aff1c9.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 23.3.start.exe.3f7db5a.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 9.2.start.exe.50a23e0.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.50a23e0.4.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 11.3.start.exe.3fa5810.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 9.2.start.exe.4e795c9.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.4e795c9.1.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.3.start.exe.3dcdb5a.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.start.exe.5018179.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.5018179.5.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 11.2.start.exe.37d1990.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.start.exe.4e795c9.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.4e795c9.1.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 33.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 13.2.start.exe.490f1c9.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.490f1c9.1.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 11.3.start.exe.3ffdb5a.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 17.2.start.exe.4db23e0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4db23e0.5.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 23.2.start.exe.520000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 23.2.start.exe.520000.1.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 17.2.start.exe.4d28179.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4d28179.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 11.3.start.exe.3fa5810.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.start.exe.4def1c9.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.4def1c9.2.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 17.2.start.exe.4aff1c9.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4aff1c9.3.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 23.3.start.exe.3f25b55.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 17.2.start.exe.4b895c9.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4b895c9.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 11.3.start.exe.3fa5b55.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 17.2.start.exe.4d28179.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4d28179.4.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 23.3.start.exe.3f25810.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 33.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.2.start.exe.500000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 19.2.start.exe.500000.1.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 11.3.start.exe.3ffdb5a.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 13.2.start.exe.490f1c9.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.490f1c9.1.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.3.start.exe.3d75b55.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.start.exe.50a23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.50a23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 11.2.start.exe.37d1990.3.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 13.2.start.exe.4b38179.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.4b38179.5.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.3.start.exe.3d75810.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 13.2.start.exe.4bc23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.4bc23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 13.2.start.exe.4b38179.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.4b38179.5.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 17.2.start.exe.4db23e0.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4db23e0.5.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 13.2.start.exe.49995c9.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.49995c9.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 9.2.start.exe.4def1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.4def1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 13.2.start.exe.49995c9.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.49995c9.3.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 17.2.start.exe.4b895c9.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4b895c9.2.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.3.start.exe.3dcdb5a.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 23.3.start.exe.3f7db5a.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 23.3.start.exe.3f25810.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 11.2.start.exe.3735950.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 9.2.start.exe.5018179.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.5018179.5.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 17.2.start.exe.4936a10.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 17.2.start.exe.4936a10.1.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 13.2.start.exe.4746a10.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 13.2.start.exe.4746a10.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 9.2.start.exe.4c26a10.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 9.2.start.exe.4c26a10.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 00000017.00000002.608775895.0000000000522000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000D.00000002.484936164.0000000004746000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.370358724.0000000004DC8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000021.00000002.576492139.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000002.611636873.0000000002582000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000017.00000002.611953012.0000000002734000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000002.608001079.0000000000502000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000D.00000002.486549188.0000000004B38000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000011.00000002.503262589.0000000004D28000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000000B.00000002.608934819.0000000000732000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000009.00000002.441589720.0000000005018000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000009.00000002.439008892.0000000004C26000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000011.00000002.502748889.0000000004936000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.368874636.00000000049D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RpDMpvgd55.exe PID: 6900, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: start.exe PID: 6344, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: start.exe PID: 1724, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: start.exe PID: 3940, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: start.exe PID: 6988, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: start.exe PID: 4928, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: start.exe PID: 6428, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
PE file has nameless sections
Source: RpDMpvgd55.exe Static PE information: section name:
Source: start.exe.4.dr Static PE information: section name:
Uses 32bit PE files
Source: RpDMpvgd55.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 19.3.start.exe.3d75810.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 13.2.start.exe.4bc23e0.4.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.4bc23e0.4.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.4bc23e0.4.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 11.2.start.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 11.2.start.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 11.2.start.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 17.2.start.exe.4aff1c9.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4aff1c9.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4aff1c9.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 23.3.start.exe.3f7db5a.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 9.2.start.exe.50a23e0.4.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.50a23e0.4.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.50a23e0.4.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 11.3.start.exe.3fa5810.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 9.2.start.exe.4e795c9.1.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.4e795c9.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.4e795c9.1.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.3.start.exe.3dcdb5a.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.start.exe.5018179.5.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.5018179.5.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.5018179.5.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 11.2.start.exe.37d1990.3.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.start.exe.4e795c9.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.4e795c9.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.4e795c9.1.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.4dc8179.5.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 33.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 13.2.start.exe.490f1c9.1.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.490f1c9.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.490f1c9.1.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 11.3.start.exe.3ffdb5a.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 17.2.start.exe.4db23e0.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4db23e0.5.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4db23e0.5.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 23.2.start.exe.520000.1.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 23.2.start.exe.520000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 23.2.start.exe.520000.1.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 17.2.start.exe.4d28179.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4d28179.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4d28179.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 11.3.start.exe.3fa5810.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.start.exe.4def1c9.2.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.4def1c9.2.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.4def1c9.2.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 17.2.start.exe.4aff1c9.3.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4aff1c9.3.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4aff1c9.3.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 23.3.start.exe.3f25b55.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 17.2.start.exe.4b895c9.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4b895c9.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4b895c9.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 11.3.start.exe.3fa5b55.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 17.2.start.exe.4d28179.4.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4d28179.4.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4d28179.4.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 23.3.start.exe.3f25810.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 33.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.2.start.exe.500000.1.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 19.2.start.exe.500000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 19.2.start.exe.500000.1.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 11.3.start.exe.3ffdb5a.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 13.2.start.exe.490f1c9.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.490f1c9.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.490f1c9.1.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.3.start.exe.3d75b55.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.start.exe.50a23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.50a23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.50a23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.4c295c9.3.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 11.2.start.exe.37d1990.3.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 13.2.start.exe.4b38179.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.4b38179.5.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.4b38179.5.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.3.start.exe.3d75810.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 13.2.start.exe.4bc23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.4bc23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.4bc23e0.4.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 13.2.start.exe.4b38179.5.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.4b38179.5.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.4b38179.5.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 17.2.start.exe.4db23e0.5.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4db23e0.5.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4db23e0.5.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 13.2.start.exe.49995c9.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.49995c9.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.49995c9.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.4e523e0.4.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 9.2.start.exe.4def1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.4def1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.4def1c9.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 13.2.start.exe.49995c9.3.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.49995c9.3.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.49995c9.3.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 17.2.start.exe.4b895c9.2.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4b895c9.2.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4b895c9.2.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.3.start.exe.3dcdb5a.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 23.3.start.exe.3f7db5a.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 23.3.start.exe.3f25810.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 11.2.start.exe.3735950.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 9.2.start.exe.5018179.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.5018179.5.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.5018179.5.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 17.2.start.exe.4936a10.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 17.2.start.exe.4936a10.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 17.2.start.exe.4936a10.1.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 13.2.start.exe.4746a10.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 13.2.start.exe.4746a10.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 13.2.start.exe.4746a10.2.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 9.2.start.exe.4c26a10.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 9.2.start.exe.4c26a10.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 9.2.start.exe.4c26a10.3.raw.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 00000017.00000002.608775895.0000000000522000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000D.00000002.484936164.0000000004746000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.370358724.0000000004DC8000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000021.00000002.576492139.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000002.611636873.0000000002582000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000017.00000002.611953012.0000000002734000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000002.608001079.0000000000502000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000D.00000002.486549188.0000000004B38000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000011.00000002.503262589.0000000004D28000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000000B.00000002.608934819.0000000000732000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000009.00000002.441589720.0000000005018000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000009.00000002.439008892.0000000004C26000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000011.00000002.502748889.0000000004936000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.368874636.00000000049D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RpDMpvgd55.exe PID: 6900, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: start.exe PID: 6344, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: start.exe PID: 1724, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: start.exe PID: 3940, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: start.exe PID: 6988, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: start.exe PID: 4928, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: start.exe PID: 6428, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Detected potential crypto function
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Code function: 1_2_017A20B1 1_2_017A20B1
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Code function: 1_2_017AC8C0 1_2_017AC8C0
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Code function: 1_2_017A0A88 1_2_017A0A88
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_018820C0 9_2_018820C0
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_0188C8B0 9_2_0188C8B0
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_01880A88 9_2_01880A88
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_05799088 9_2_05799088
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_05790C7F 9_2_05790C7F
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_05790C80 9_2_05790C80
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_0579E708 9_2_0579E708
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_05790A10 9_2_05790A10
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_05790A00 9_2_05790A00
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_0BDC87C0 9_2_0BDC87C0
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_0BDC87B0 9_2_0BDC87B0
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB2068 11_2_00DB2068
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB04E0 11_2_00DB04E0
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB54B8 11_2_00DB54B8
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB38E6 11_2_00DB38E6
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB9938 11_2_00DB9938
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB0C48 11_2_00DB0C48
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB6C29 11_2_00DB6C29
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB9F98 11_2_00DB9F98
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB4178 11_2_00DB4178
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB4168 11_2_00DB4168
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB05ED 11_2_00DB05ED
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB05A6 11_2_00DB05A6
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB8540 11_2_00DB8540
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3568 11_2_00DB3568
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB0562 11_2_00DB0562
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB4519 11_2_00DB4519
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB8531 11_2_00DB8531
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB4528 11_2_00DB4528
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB0527 11_2_00DB0527
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB5698 11_2_00DB5698
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB48D0 11_2_00DB48D0
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB48E0 11_2_00DB48E0
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB5890 11_2_00DB5890
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB5880 11_2_00DB5880
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB39D7 11_2_00DB39D7
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB29F8 11_2_00DB29F8
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB29E9 11_2_00DB29E9
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3981 11_2_00DB3981
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB9933 11_2_00DB9933
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3ADD 11_2_00DB3ADD
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3AAA 11_2_00DB3AAA
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3A77 11_2_00DB3A77
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3A02 11_2_00DB3A02
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3BCE 11_2_00DB3BCE
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3BF1 11_2_00DB3BF1
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3B60 11_2_00DB3B60
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3B1E 11_2_00DB3B1E
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3C73 11_2_00DB3C73
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3C1D 11_2_00DB3C1D
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB0C35 11_2_00DB0C35
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3DDD 11_2_00DB3DDD
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3DA0 11_2_00DB3DA0
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3D40 11_2_00DB3D40
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB8E40 11_2_00DB8E40
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3E75 11_2_00DB3E75
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB3E1A 11_2_00DB3E1A
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB6E10 11_2_00DB6E10
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB1F89 11_2_00DB1F89
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB1F6F 11_2_00DB1F6F
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_05524310 11_2_05524310
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_055262B8 11_2_055262B8
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_05524C00 11_2_05524C00
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_0552FBD0 11_2_0552FBD0
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_05529090 11_2_05529090
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_05529080 11_2_05529080
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_011D20B1 13_2_011D20B1
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_011DC8B0 13_2_011DC8B0
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_011D0A88 13_2_011D0A88
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_011D61C0 13_2_011D61C0
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_02C19088 13_2_02C19088
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_02C10A00 13_2_02C10A00
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_02C10A10 13_2_02C10A10
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_02C1E708 13_2_02C1E708
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_02C10C80 13_2_02C10C80
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_02C10C7E 13_2_02C10C7E
Sample file is different than original file name gathered from version info
Source: RpDMpvgd55.exe, 00000001.00000002.370358724.0000000004DC8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs RpDMpvgd55.exe
Source: RpDMpvgd55.exe, 00000001.00000002.366606605.0000000000CF4000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenjh.exeD vs RpDMpvgd55.exe
Source: RpDMpvgd55.exe, 00000001.00000002.368874636.00000000049D6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamexs.dll4 vs RpDMpvgd55.exe
Source: RpDMpvgd55.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: start.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: RpDMpvgd55.exe Static PE information: Section: lUhFD ZLIB complexity 1.00014602804
Source: start.exe.4.dr Static PE information: Section: lUhFD ZLIB complexity 1.00014602804
Source: RpDMpvgd55.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RpDMpvgd55.exe 'C:\Users\user\Desktop\RpDMpvgd55.exe'
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\RpDMpvgd55.exe' 'C:\Users\user\AppData\Local\start.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c, 'C:\Users\user\AppData\Local\start.exe'
Source: unknown Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\start.exe 'C:\Users\user\AppData\Local\start.exe'
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe
Source: unknown Process created: C:\Users\user\AppData\Local\start.exe 'C:\Users\user\AppData\Local\start.exe' -boot
Source: unknown Process created: C:\Users\user\AppData\Local\start.exe 'C:\Users\user\AppData\Local\start.exe' -boot
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8598.tmp'
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD4F0.tmp'
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFEB0.tmp'
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7DB4.tmp'
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\RpDMpvgd55.exe' 'C:\Users\user\AppData\Local\start.exe' Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c, 'C:\Users\user\AppData\Local\start.exe' Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\start.exe 'C:\Users\user\AppData\Local\start.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8598.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7DB4.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD4F0.tmp'
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFEB0.tmp'
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation
Source: C:\Users\user\Desktop\RpDMpvgd55.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RpDMpvgd55.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe File created: C:\Users\user\AppData\Local\Temp\24b52983-2844-023d-2e9c-886bda31e7b2 Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@25/10@0/0
Source: C:\Users\user\Desktop\RpDMpvgd55.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 11.2.start.exe.730000.1.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.start.exe.730000.1.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.start.exe.730000.1.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 11.2.start.exe.730000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 11.2.start.exe.730000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 11.2.start.exe.730000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\start.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\start.exe Mutant created: \Sessions\1\BaseNamedObjects\86fd7b63-08aa-4cc7-9ad5-d30444821027
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2896:120:WilError_01
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: 11.2.start.exe.730000.1.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.start.exe.730000.1.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.start.exe.730000.1.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.start.exe.730000.1.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\RpDMpvgd55.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: RpDMpvgd55.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RpDMpvgd55.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, start.exe, 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: start.exe, 0000000B.00000002.617396677.0000000003735000.00000004.00000001.sdmp, start.exe, 00000013.00000003.473129874.0000000003D75000.00000004.00000001.sdmp, start.exe, 00000017.00000003.490802427.0000000003F25000.00000004.00000001.sdmp, vbc.exe, 00000021.00000002.576492139.0000000000400000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Code function: 1_2_00CF210E push 9FC390C5h; ret 1_2_00CF2116
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Code function: 1_2_00CF1118 push 98C38DC5h; ret 1_2_00CF10E9
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Code function: 1_2_00CEF023 pushad ; iretd 1_2_00CEF085
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_00F0F023 pushad ; iretd 9_2_00F0F085
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_00F11118 push 98C38DC5h; ret 9_2_00F110E9
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_00F1210E push 9FC390C5h; ret 9_2_00F12116
Source: C:\Users\user\AppData\Local\start.exe Code function: 9_2_0BDCA179 push EC018F44h; iretd 9_2_0BDCA185
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_0035F023 pushad ; iretd 11_2_0035F085
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00361118 push 98C38DC5h; ret 11_2_003610E9
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_0036210E push 9FC390C5h; ret 11_2_00362116
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB32F5 push ss; retf 11_2_00DB32F6
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB326C push ss; retf 11_2_00DB326D
Source: C:\Users\user\AppData\Local\start.exe Code function: 11_2_00DB8930 push 000000C3h; ret 11_2_00DB8945
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_00981118 push 98C38DC5h; ret 13_2_009810E9
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_0098210E push 9FC390C5h; ret 13_2_00982116
Source: C:\Users\user\AppData\Local\start.exe Code function: 13_2_0097F023 pushad ; iretd 13_2_0097F085
PE file contains sections with non-standard names
Source: RpDMpvgd55.exe Static PE information: section name: lUhFD
Source: RpDMpvgd55.exe Static PE information: section name:
Source: start.exe.4.dr Static PE information: section name: lUhFD
Source: start.exe.4.dr Static PE information: section name:
Source: initial sample Static PE information: section name: lUhFD entropy: 7.99971985547
Source: initial sample Static PE information: section name: lUhFD entropy: 7.99971985547

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\start.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\start.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Application Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Application Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\RpDMpvgd55.exe File opened: C:\Users\user\Desktop\RpDMpvgd55.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe File opened: C:\Users\user\AppData\Local\start.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe File opened: C:\Users\user\AppData\Local\start.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe File opened: C:\Users\user\AppData\Local\start.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\start.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RpDMpvgd55.exe TID: 6956 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe TID: 6400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe TID: 6980 Thread sleep count: 122 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe TID: 6980 Thread sleep time: -122000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe TID: 4232 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe TID: 4232 Thread sleep time: -85000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe TID: 4240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe TID: 6972 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe TID: 4892 Thread sleep count: 98 > 30
Source: C:\Users\user\AppData\Local\start.exe TID: 4892 Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\AppData\Local\start.exe TID: 1868 Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\start.exe TID: 1868 Thread sleep time: -76000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\start.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\start.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\start.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\start.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\start.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\start.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\start.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
Source: start.exe, 00000011.00000002.501148038.0000000003010000.00000004.00000001.sdmp Binary or memory string: Vboxservice
Source: start.exe, 00000011.00000002.501148038.0000000003010000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: explorer.exe, 00000008.00000002.607854267.00000000009D1000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:q
Source: explorer.exe, 00000008.00000002.607854267.00000000009D1000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000008.00000002.607854267.00000000009D1000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\start.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Local\start.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 385008 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 2E5008 Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 2F2008
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 367008
.NET source code references suspicious native API functions
Source: 11.2.start.exe.730000.1.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\start.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\start.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Users\user\AppData\Local\start.exe base: 730000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\start.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c copy 'C:\Users\user\Desktop\RpDMpvgd55.exe' 'C:\Users\user\AppData\Local\start.exe' Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Process created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\System32\explorer.exe' /c, 'C:\Users\user\AppData\Local\start.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp8598.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp7DB4.tmp' Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Users\user\AppData\Local\start.exe C:\Users\user\AppData\Local\start.exe Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpD4F0.tmp'
Source: C:\Users\user\AppData\Local\start.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFEB0.tmp'

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Queries volume information: C:\Users\user\Desktop\RpDMpvgd55.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Users\user\AppData\Local\start.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Users\user\AppData\Local\start.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Users\user\AppData\Local\start.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Users\user\AppData\Local\start.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Users\user\AppData\Local\start.exe VolumeInformation
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Users\user\AppData\Local\start.exe VolumeInformation
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\RpDMpvgd55.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: bdagent.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: avguard.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: avgrsx.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: avcenter.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: zlclient.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: avgcsrvx.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: avgnt.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: avgui.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: avgwdsvc.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe
Source: start.exe, 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, start.exe, 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, start.exe, 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp Binary or memory string: ComboFix.exe

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 19.3.start.exe.3d75810.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f7db5a.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3fa5810.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.start.exe.3dcdb5a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.start.exe.37d1990.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3ffdb5a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3fa5810.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f25b55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3fa5b55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f25810.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3ffdb5a.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.start.exe.3d75b55.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.start.exe.37d1990.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.start.exe.3d75810.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.start.exe.3dcdb5a.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f7db5a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f25810.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.start.exe.3735950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.617396677.0000000003735000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.614686157.000000000284E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.428810541.0000000003FA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.576492139.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.473129874.0000000003D75000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.490802427.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: start.exe PID: 1724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1768, type: MEMORYSTR
Yara detected HawkEye Keylogger
Source: Yara match File source: 13.2.start.exe.4bc23e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.start.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4aff1c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.50a23e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4e795c9.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.5018179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4e795c9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4dc8179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.490f1c9.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4db23e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.520000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4d28179.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4def1c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4aff1c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4b895c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4d28179.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.start.exe.500000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.490f1c9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.50a23e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4c295c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4b38179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4bc23e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4b38179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4db23e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.49995c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4e523e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4def1c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.49995c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4b895c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.5018179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4936a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4746a10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4c26a10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.608775895.0000000000522000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.484936164.0000000004746000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.370358724.0000000004DC8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611636873.0000000002582000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.611953012.0000000002734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.608001079.0000000000502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.486549188.0000000004B38000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.503262589.0000000004D28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.608934819.0000000000732000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.441589720.0000000005018000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.439008892.0000000004C26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502748889.0000000004936000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.368874636.00000000049D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RpDMpvgd55.exe PID: 6900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 1724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 3940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6428, type: MEMORYSTR
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 19.3.start.exe.3d75810.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3fa5810.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.36b5950.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.start.exe.3735950.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.start.exe.3505950.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3fa5810.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f25b55.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3fa5b55.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f25810.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f25b55.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.start.exe.3d75b55.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.start.exe.3d75810.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.start.exe.3fa5b55.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.36b5950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.3.start.exe.3d75b55.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.3.start.exe.3f25810.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.start.exe.3735950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.start.exe.3505950.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.613981984.0000000003505000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.617396677.0000000003735000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.428810541.0000000003FA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.511356001.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.491000117.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.614119011.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.473129874.0000000003D75000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000003.490802427.0000000003F25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.450752133.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: start.exe PID: 1724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2232, type: MEMORYSTR
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: start.exe PID: 1724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6428, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 13.2.start.exe.4bc23e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.start.exe.730000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4aff1c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.50a23e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4dc8179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4e795c9.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.5018179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4e795c9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4dc8179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4c295c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.490f1c9.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4db23e0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.520000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4d28179.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4def1c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4aff1c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4b895c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4d28179.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4b9f1c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.start.exe.500000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4e523e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.490f1c9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.50a23e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4c295c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4b38179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4bc23e0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4b38179.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4db23e0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.49995c9.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.4e523e0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4def1c9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.49995c9.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4b895c9.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.5018179.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.start.exe.4936a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RpDMpvgd55.exe.49d6a10.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.start.exe.4746a10.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.start.exe.4c26a10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000002.611611100.00000000026C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.608775895.0000000000522000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.611844683.0000000002743000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.484936164.0000000004746000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.370358724.0000000004DC8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611636873.0000000002582000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.611953012.0000000002734000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.608001079.0000000000502000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.486549188.0000000004B38000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.503262589.0000000004D28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611315160.0000000002511000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.608934819.0000000000732000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.441589720.0000000005018000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.439008892.0000000004C26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502748889.0000000004936000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.368874636.00000000049D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RpDMpvgd55.exe PID: 6900, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 1724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 3940, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 4928, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: start.exe PID: 6428, type: MEMORYSTR
Detected HawkEye Rat
Source: RpDMpvgd55.exe, 00000001.00000002.370358724.0000000004DC8000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: start.exe, 00000009.00000002.439008892.0000000004C26000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: start.exe, 0000000B.00000002.608934819.0000000000732000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: start.exe, 0000000D.00000002.484936164.0000000004746000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: start.exe, 00000011.00000002.503262589.0000000004D28000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: start.exe, 00000013.00000002.608001079.0000000000502000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: start.exe, 00000017.00000002.608775895.0000000000522000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 478945 Sample: RpDMpvgd55 Startdate: 07/09/2021 Architecture: WINDOWS Score: 100 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 8 other signatures 2->54 8 explorer.exe 2->8         started        10 start.exe 2 2->10         started        13 start.exe 2 2->13         started        15 RpDMpvgd55.exe 4 2->15         started        process3 file4 18 start.exe 1 3 8->18         started        76 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->76 21 start.exe 10->21         started        23 start.exe 13->23         started        46 C:\Users\user\AppData\...\RpDMpvgd55.exe.log, ASCII 15->46 dropped 25 cmd.exe 2 15->25         started        28 explorer.exe 1 15->28         started        signatures5 process6 file7 56 Antivirus detection for dropped file 18->56 58 Multi AV Scanner detection for dropped file 18->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->60 70 2 other signatures 18->70 30 start.exe 5 18->30         started        62 Writes to foreign memory regions 21->62 64 Allocates memory in foreign processes 21->64 66 Sample uses process hollowing technique 21->66 33 vbc.exe 21->33         started        68 Injects a PE file into a foreign processes 23->68 35 vbc.exe 23->35         started        44 C:\Users\user\AppData\Local\start.exe, PE32 25->44 dropped 37 conhost.exe 25->37         started        signatures8 process9 signatures10 78 Writes to foreign memory regions 30->78 80 Allocates memory in foreign processes 30->80 82 Sample uses process hollowing technique 30->82 84 Injects a PE file into a foreign processes 30->84 39 vbc.exe 30->39         started        42 vbc.exe 30->42         started        86 Tries to harvest and steal browser information (history, passwords, etc) 33->86 process11 signatures12 72 Tries to steal Instant Messenger accounts or passwords 39->72 74 Tries to steal Mail credentials (via file access) 39->74
No contacted IP infos