Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9jV2cBN6cQ

Overview

General Information

Sample Name:9jV2cBN6cQ (renamed file extension from none to exe)
Analysis ID:489483
MD5:b105bec27851dabe21e1cf1c56bfda0e
SHA1:f822c5a33d94cbea0f69ce327257420b33b0d552
SHA256:ed133e3bc6f781c4a981f93c180e38c70572ad80e48c12294585767e583b9d0f
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Detected HawkEye Rat
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to log keystrokes (.Net Source)
Tries to steal Mail credentials (via file registry)
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
.NET source code contains very large strings
Tries to steal Mail credentials (via file access)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
May infect USB drives
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Uses FTP
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • 9jV2cBN6cQ.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\9jV2cBN6cQ.exe' MD5: B105BEC27851DABE21E1CF1C56BFDA0E)
    • 9jV2cBN6cQ.exe (PID: 4240 cmdline: C:\Users\user\Desktop\9jV2cBN6cQ.exe MD5: B105BEC27851DABE21E1CF1C56BFDA0E)
      • vbc.exe (PID: 6444 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6436 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000002.915272981.0000000007160000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000007.00000002.692945681.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000005.00000002.915336004.0000000007320000.00000004.00020000.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x1085d0:$key: HawkEyeKeylogger
      • 0x10a7ce:$salt: 099u787978786
      • 0x108be9:$string1: HawkEye_Keylogger
      • 0x109a3c:$string1: HawkEye_Keylogger
      • 0x10a72e:$string1: HawkEye_Keylogger
      • 0x108fd2:$string2: holdermail.txt
      • 0x108ff2:$string2: holdermail.txt
      • 0x108f14:$string3: wallet.dat
      • 0x108f2c:$string3: wallet.dat
      • 0x108f42:$string3: wallet.dat
      • 0x10a310:$string4: Keylog Records
      • 0x10a628:$string4: Keylog Records
      • 0x10a826:$string5: do not script -->
      • 0x1085b8:$string6: \pidloc.txt
      • 0x10861e:$string7: BSPLIT
      • 0x10862e:$string7: BSPLIT
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.9jV2cBN6cQ.exe.7160000.9.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      5.2.9jV2cBN6cQ.exe.45fa72.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        5.2.9jV2cBN6cQ.exe.3b29930.7.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          5.2.9jV2cBN6cQ.exe.7320000.10.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          6.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 74 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: 9jV2cBN6cQ.exeVirustotal: Detection: 54%Perma Link
            Source: 9jV2cBN6cQ.exeMetadefender: Detection: 42%Perma Link
            Source: 9jV2cBN6cQ.exeReversingLabs: Detection: 82%
            Machine Learning detection for sampleShow sources
            Source: 9jV2cBN6cQ.exeJoe Sandbox ML: detected
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpackAvira: Label: TR/Inject.vcoldi
            Source: 9jV2cBN6cQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 9jV2cBN6cQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then call 0510A6E8h
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then call 0510A6E8h
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then call 0510A6E8h
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
            Source: unknownFTP traffic detected: 66.70.204.222:21 -> 192.168.2.4:49757 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 09:37. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 09:37. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 09:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 09:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.692945681.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.692945681.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv|ntpproviders equals www.yahoo.com (Yahoo)
            Source: bhv6C63.tmp.7.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com|ntpproviders equals www.yahoo.com (Yahoo)
            Source: vbc.exe, 00000007.00000002.693157801.000000000093E000.00000004.00000040.sdmpString found in binary or memory: en_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginhom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000007.00000002.693157801.000000000093E000.00000004.00000040.sdmpString found in binary or memory: en_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginhom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000007.00000003.691191430.00000000020FD000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: http://172.217.23.78/
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
            Source: vbc.exe, 00000007.00000003.691362859.0000000002105000.00000004.00000001.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=truef5-b8c0-4
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913694607.0000000002CB4000.00000004.00000001.sdmpString found in binary or memory: http://ftp.vn-gpack.org
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://google.com/
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0R
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://support.google.com/accounts/answer/151657
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.652217657.00000000060AD000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html1
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671368622.0000000006070000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671368622.0000000006070000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.647882688.000000000608B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comY
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000001.00000003.649722154.00000000016CD000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000001.00000003.649937461.0000000006077000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.650207946.0000000006078000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.a
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.650304025.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.650304025.0000000006076000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/baw
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.649646988.000000000607D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.649937461.0000000006077000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cng
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.649937461.0000000006077000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnta
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://www.google.com/
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://www.msn.com
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 00000007.00000003.691362859.0000000002105000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhv6C63.tmp.7.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, vbc.exe, 00000007.00000002.692945681.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.647343939.0000000006073000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.647343939.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.647343939.0000000006073000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comeIz
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: 9jV2cBN6cQ.exe, 00000001.00000003.649225415.000000000608B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comiva
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: vbc.exe, 00000007.00000003.691554039.00000000020FD000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: https://172.217.23.78/
            Source: vbc.exe, 00000007.00000003.690549057.000000000211A000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://adservice.google.com/adsid/google/ui
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: vbc.exe, 00000007.00000003.690549057.000000000211A000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://contextual.media.net/
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: vbc.exe, 00000007.00000003.690950627.000000000093E000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.690830521.000000000093D000.00000004.00000001.sdmp, vbc.exe, 00000007.00000003.690899752.0000000002715000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: vbc.exe, 00000007.00000003.690549057.000000000211A000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
            Source: vbc.exe, 00000007.00000003.690899752.0000000002715000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/?gws_rd=ssl
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/favicon.ico
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/images/nav_logo299.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/images/phd/px.gif
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/search
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
            Source: vbc.exe, 00000007.00000003.690674759.0000000002105000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/searchp/LinkId=255141
            Source: vbc.exe, 00000007.00000003.690549057.000000000211A000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
            Source: bhv6C63.tmp.7.drString found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
            Source: vbc.exe, 00000007.00000003.691157917.0000000002105000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: https://www.msn.com/
            Source: vbc.exe, 00000007.00000003.691126387.0000000002105000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com//searchp/LinkId=255141
            Source: vbc.exe, 00000007.00000002.693157801.000000000093E000.00000004.00000040.sdmp, vbc.exe, 00000007.00000003.691603469.0000000002718000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://micros
            Source: vbc.exe, 00000007.00000003.691697208.000000000210A000.00000004.00000001.sdmp, bhv6C63.tmp.7.drString found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol
            Source: unknownDNS traffic detected: queries for: 90.168.9.0.in-addr.arpa

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.2b4b240.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 6968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 4240, type: MEMORYSTR
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.663963221.000000000126A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.9jV2cBN6cQ.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.9jV2cBN6cQ.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.9jV2cBN6cQ.exe.2b4b240.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: 9jV2cBN6cQ.exe, RSAPKCS1KeyExchangeDeformatt/UTF8EncodingSeal.csLong String: Length: 115393
            Source: 1.2.9jV2cBN6cQ.exe.b10000.0.unpack, RSAPKCS1KeyExchangeDeformatt/UTF8EncodingSeal.csLong String: Length: 115393
            Source: 1.0.9jV2cBN6cQ.exe.b10000.0.unpack, RSAPKCS1KeyExchangeDeformatt/UTF8EncodingSeal.csLong String: Length: 115393
            Source: 5.0.9jV2cBN6cQ.exe.710000.0.unpack, RSAPKCS1KeyExchangeDeformatt/UTF8EncodingSeal.csLong String: Length: 115393
            Source: 5.2.9jV2cBN6cQ.exe.710000.4.unpack, RSAPKCS1KeyExchangeDeformatt/UTF8EncodingSeal.csLong String: Length: 115393
            Source: 9jV2cBN6cQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 5.2.9jV2cBN6cQ.exe.7160000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.9jV2cBN6cQ.exe.7320000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.9jV2cBN6cQ.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 5.2.9jV2cBN6cQ.exe.45fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.9jV2cBN6cQ.exe.2b5eaa4.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.9jV2cBN6cQ.exe.2b4b240.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 5.2.9jV2cBN6cQ.exe.2b4b240.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.915272981.0000000007160000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000005.00000002.915336004.0000000007320000.00000004.00020000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
            Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_00BEBFB3
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_00BEBCDB
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0551C4B4
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0551E7C0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0551E7B0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B5EDE0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B5E1D8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B5A0F8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B5A0EA
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B52238
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B5EDC5
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B529A0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B5F659
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B55950
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B5F889
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_077762B0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_077701F8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07771019
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777A764
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777A750
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777A734
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777A787
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07776643
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777A6E6
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07775530
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07776538
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777552F
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777A507
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07776597
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07776598
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_077734F0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_077734E0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07773258
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07773248
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777629F
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777A121
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_077701E8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07773070
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07773060
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07771023
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_0777DD70
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07771DF7
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07771DF8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07775DE8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07775DD8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07772CF0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07776BF0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_07776BEF
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_077729E0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_077729D0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_007EBFB3
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_007EBCDB
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0298B29C
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0298C310
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_029899D0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0298DFD0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0511CA23
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0511BA60
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0714B5C0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07149C20
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0714EC48
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07142BA8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07143BE8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_071422B8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07146AA0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07140494
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07143BD7
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_071422A9
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0741B4E0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0741EEC8
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0741BDB0
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0741B198
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07410031
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404DDB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040BD8A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404E4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404EBD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404F4E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404419
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404516
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00413538
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E639
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F85
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F99
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0714F298 NtResumeThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07148928 NtResumeThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07148940 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0714894C NtSetContextThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0714F770 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07148958 NtSetContextThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07148964 NtResumeThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_07148988 NtResumeThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_071489B8 NtSetContextThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_071489A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_071489AC NtSetContextThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_071489C4 NtResumeThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0714F828 NtSetContextThread,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_071488E7 NtSetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: 9jV2cBN6cQ.exeBinary or memory string: OriginalFilename vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.665983861.0000000004039000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUInt16.dllZ vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000000.645158865.0000000000B12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCharUnicodeIn.exe: vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664356361.0000000003031000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSafeLsaPolicy.dllL vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.663963221.000000000126A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exeBinary or memory string: OriginalFilename vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912685500.0000000000712000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCharUnicodeIn.exe: vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912654800.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913117720.0000000000F2A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exeBinary or memory string: OriginalFilenameCharUnicodeIn.exe: vs 9jV2cBN6cQ.exe
            Source: 9jV2cBN6cQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: 9jV2cBN6cQ.exeVirustotal: Detection: 54%
            Source: 9jV2cBN6cQ.exeMetadefender: Detection: 42%
            Source: 9jV2cBN6cQ.exeReversingLabs: Detection: 82%
            Source: 9jV2cBN6cQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\9jV2cBN6cQ.exe 'C:\Users\user\Desktop\9jV2cBN6cQ.exe'
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Users\user\Desktop\9jV2cBN6cQ.exe C:\Users\user\Desktop\9jV2cBN6cQ.exe
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Users\user\Desktop\9jV2cBN6cQ.exe C:\Users\user\Desktop\9jV2cBN6cQ.exe
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9jV2cBN6cQ.exe.logJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/5@2/2
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.692945681.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'LheGPk02Id6HZoF65015O3GcaHw7uYG8ZzY9IpaM/NEVyMPjMy+3JWPGgQJdMbQAvfmSv7EzpwacPW8fjCDJow==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: 9jV2cBN6cQ.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: 9jV2cBN6cQ.exeStatic file information: File size 1154560 > 1048576
            Source: 9jV2cBN6cQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 9jV2cBN6cQ.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x119400
            Source: 9jV2cBN6cQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_00BEB8F8 push ds; ret
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05516F77 push 1C00005Eh; ret
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 1_2_05B59502 push E801005Eh; ret
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_007EB8F8 push ds; ret
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_0298E673 push esp; ret
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_071405B0 pushfd ; retf
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeCode function: 5_2_074125CE pushad ; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411879 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442871 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00446E54 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,
            Source: initial sampleStatic PE information: section name: .text entropy: 7.49843619507

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 6968, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exe TID: 6964Thread sleep time: -40544s >= -30000s
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exe TID: 6276Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exe TID: 5568Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exe TID: 6696Thread sleep time: -120000s >= -30000s
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exe TID: 6976Thread sleep time: -140000s >= -30000s
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exe TID: 6748Thread sleep time: -97400s >= -30000s
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exe TID: 5828Thread sleep time: -180000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 180000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeWindow / User API: threadDelayed 487
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004161B0 memset,GetSystemInfo,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 40544
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 120000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 140000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeThread delayed: delay time: 180000
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913140755.0000000000F51000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: bhv6C63.tmp.7.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20210924T053647Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=55314038a0c249cd99f68507a4d21eab&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1180044&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1180044&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.665983861.0000000004039000.00000004.00000001.sdmpBinary or memory string: hgfs<
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
            .NET source code references suspicious native API functionsShow sources
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Users\user\Desktop\9jV2cBN6cQ.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Users\user\Desktop\9jV2cBN6cQ.exe C:\Users\user\Desktop\9jV2cBN6cQ.exe
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913311223.0000000001530000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913311223.0000000001530000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913311223.0000000001530000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913311223.0000000001530000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Users\user\Desktop\9jV2cBN6cQ.exe VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Users\user\Desktop\9jV2cBN6cQ.exe VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406278 GetVersionExA,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
            Source: C:\Users\user\Desktop\9jV2cBN6cQ.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913140755.0000000000F51000.00000004.00000020.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.45fa72.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.3b29930.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.3b29930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.684007490.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.914204338.0000000003B21000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 6968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 4240, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6444, type: MEMORYSTR
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.2b4b240.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 6968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 4240, type: MEMORYSTR
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.409c0d.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.3b41b50.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.3b41b50.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.3b29930.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.692945681.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.914204338.0000000003B21000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 6968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 4240, type: MEMORYSTR
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

            Remote Access Functionality:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a8eaaa.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a38c45.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f6a0e8.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.9a37240.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.9jV2cBN6cQ.exe.4ed78c0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.9jV2cBN6cQ.exe.2b4b240.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 6968, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 9jV2cBN6cQ.exe PID: 4240, type: MEMORYSTR
            Detected HawkEye RatShow sources
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: 9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913140755.0000000000F51000.00000004.00000020.sdmpString found in binary or memory: ftp://ftp.vn-gpack.org/HawkEye_Keylogger_Stealer_Records_632922 9.24.2021 7:45:08 AM.txtllw
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913140755.0000000000F51000.00000004.00000020.sdmpString found in binary or memory: /HawkEye_Keylogger_Stealer_Records_632922 9.24.2021 7:45:08 AM.txt
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913682051.0000000002CA8000.00000004.00000001.sdmpString found in binary or memory: lAHawkEye_Keylogger_Stealer_Records_632922 9.24.2021 7:45:08 AM.txt
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913682051.0000000002CA8000.00000004.00000001.sdmpString found in binary or memory: lXftp://ftp.vn-gpack.org/HawkEye_Keylogger_Stealer_Records_632922 9.24.2021 7:45:08 AM.txt
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913682051.0000000002CA8000.00000004.00000001.sdmpString found in binary or memory: ftp://ftp.vn-gpack.org/HawkEye_Keylogger_Stealer_Records_632922%209.24.2021%207:45:08%20AM.txt
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913682051.0000000002CA8000.00000004.00000001.sdmpString found in binary or memory: l^ftp://ftp.vn-gpack.org/HawkEye_Keylogger_Stealer_Records_632922%209.24.2021%207:45:08%20AM.txt
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913694607.0000000002CB4000.00000004.00000001.sdmpString found in binary or memory: lAHawkEye_Keylogger_Stealer_Records_632922 9.24.2021 7:45:08 AM.txtP
            Source: 9jV2cBN6cQ.exe, 00000005.00000002.913694607.0000000002CB4000.00000004.00000001.sdmpString found in binary or memory: lHSTOR HawkEye_Keylogger_Stealer_Records_632922 9.24.2021 7:45:08 AM.txt

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Windows Management Instrumentation1Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Alternative Protocol1Encrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API11Boot or Logon Initialization ScriptsProcess Injection312Deobfuscate/Decode Files or Information11Input Capture11Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information41Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3Credentials In Files1File and Directory Discovery1Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSystem Information Discovery18SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsQuery Registry1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection312DCSyncSecurity Software Discovery131Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemVirtualization/Sandbox Evasion21Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowProcess Discovery4Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingApplication Window Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureSystem Owner/User Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
            Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingRemote System Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            9jV2cBN6cQ.exe54%VirustotalBrowse
            9jV2cBN6cQ.exe43%MetadefenderBrowse
            9jV2cBN6cQ.exe82%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            9jV2cBN6cQ.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.9jV2cBN6cQ.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
            5.2.9jV2cBN6cQ.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
            7.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
            1.2.9jV2cBN6cQ.exe.4f63ce0.5.unpack100%AviraTR/Inject.vcoldiDownload File

            Domains

            SourceDetectionScannerLabelLink
            ftp.vn-gpack.org2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
            https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
            https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
            https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e0%Avira URL Cloudsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            https://172.217.23.78/0%Avira URL Cloudsafe
            https://aefd.nelreports.net/api/report?cat=bingrms0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z0%Avira URL Cloudsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG0%Avira URL Cloudsafe
            http://www.typography.netD0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM0%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ0%URL Reputationsafe
            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js0%URL Reputationsafe
            http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%URL Reputationsafe
            https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e0%Avira URL Cloudsafe
            https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ftp.vn-gpack.org
            		66.70.204.222
            		truetrueunknown
            90.168.9.0.in-addr.arpa
            		unknown
            		unknownfalse
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://www.google.com/chrome/static/css/main.v2.min.cssbhv6C63.tmp.7.drfalse
                		high
                https://www.msn.com//searchp/LinkId=255141vbc.exe, 00000007.00000003.691126387.0000000002105000.00000004.00000001.sdmpfalse
                  		high
                  https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQvbc.exe, 00000007.00000003.690549057.000000000211A000.00000004.00000001.sdmp, bhv6C63.tmp.7.drfalse
                    		high
                    https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637bhv6C63.tmp.7.drfalse
                      		high
                      http://www.msn.combhv6C63.tmp.7.drfalse
                        		high
                        http://www.fontbureau.com/designers9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                          		high
                          https://deff.nelreports.net/api/report?cat=msnbhv6C63.tmp.7.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://contextual.media.net/__media__/js/util/nrrV9140.jsbhv6C63.tmp.7.drfalse
                            		high
                            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhv6C63.tmp.7.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhv6C63.tmp.7.drfalse
                              		high
                              http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Zbhv6C63.tmp.7.drfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhv6C63.tmp.7.drfalse
                                		high
                                https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsbhv6C63.tmp.7.drfalse
                                  		high
                                  http://whatismyipaddress.com/-9jV2cBN6cQ.exe, 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmpfalse
                                    		high
                                    http://www.galapagosdesign.com/DPlease9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.site.com/logs.php9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.zhongyicts.com.cn9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name9jV2cBN6cQ.exe, 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmpfalse
                                        		high
                                        https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssbhv6C63.tmp.7.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&psbhv6C63.tmp.7.drfalse
                                          		high
                                          https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937bhv6C63.tmp.7.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5bhv6C63.tmp.7.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pqbhv6C63.tmp.7.drfalse
                                            		high
                                            https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kbhv6C63.tmp.7.drfalse
                                              		high
                                              https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhv6C63.tmp.7.drfalse
                                                		high
                                                https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266ebhv6C63.tmp.7.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.cbhv6C63.tmp.7.drfalse
                                                  		high
                                                  https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9bhv6C63.tmp.7.drfalse
                                                    		high
                                                    https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhv6C63.tmp.7.drfalse
                                                      		high
                                                      https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhv6C63.tmp.7.drfalse
                                                        		high
                                                        https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookiebhv6C63.tmp.7.drfalse
                                                          		high
                                                          https://pki.goog/repository/0bhv6C63.tmp.7.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.msn.com/vbc.exe, 00000007.00000003.691157917.0000000002105000.00000004.00000001.sdmp, bhv6C63.tmp.7.drfalse
                                                            		high
                                                            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhv6C63.tmp.7.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUebhv6C63.tmp.7.drfalse
                                                              		high
                                                              https://www.google.com/favicon.icobhv6C63.tmp.7.drfalse
                                                                		high
                                                                http://www.carterandcone.coml9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.msn.com/bhv6C63.tmp.7.drfalse
                                                                  		high
                                                                  https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhv6C63.tmp.7.drfalse
                                                                    		high
                                                                    https://172.217.23.78/vbc.exe, 00000007.00000003.691554039.00000000020FD000.00000004.00000001.sdmp, bhv6C63.tmp.7.drfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.google.com/images/nav_logo299.pngbhv6C63.tmp.7.drfalse
                                                                      		high
                                                                      https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhv6C63.tmp.7.drfalse
                                                                        		high
                                                                        https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&bhv6C63.tmp.7.drfalse
                                                                          		high
                                                                          https://aefd.nelreports.net/api/report?cat=bingrmsbhv6C63.tmp.7.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                            		high
                                                                            https://consent.google.com/set?pc=s&uxe=4421591bhv6C63.tmp.7.drfalse
                                                                              		high
                                                                              http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Zbhv6C63.tmp.7.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.google.com/images/hpp/Chrome_Owned_96x96.pngbhv6C63.tmp.7.drfalse
                                                                                		high
                                                                                http://crl.pki.goog/gsr2/gsr2.crl0?bhv6C63.tmp.7.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://pki.goog/gsr2/GTSGIAG3.crt0)bhv6C63.tmp.7.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrFbhv6C63.tmp.7.drfalse
                                                                                  		high
                                                                                  https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2bhv6C63.tmp.7.drfalse
                                                                                    		high
                                                                                    https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhv6C63.tmp.7.drfalse
                                                                                      		high
                                                                                      https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframesbhv6C63.tmp.7.drfalse
                                                                                        		high
                                                                                        https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_bhv6C63.tmp.7.drfalse
                                                                                          		high
                                                                                          http://www.founder.com.cn/cn/bThe9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=httpsvbc.exe, 00000007.00000003.690549057.000000000211A000.00000004.00000001.sdmp, bhv6C63.tmp.7.drfalse
                                                                                            		high
                                                                                            https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authusbhv6C63.tmp.7.drfalse
                                                                                              		high
                                                                                              https://www.google.com/images/phd/px.gifbhv6C63.tmp.7.drfalse
                                                                                                		high
                                                                                                https://www.google.com/chrome/static/images/homepage/google-canary.pngbhv6C63.tmp.7.drfalse
                                                                                                  		high
                                                                                                  https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJGbhv6C63.tmp.7.drfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhv6C63.tmp.7.drfalse
                                                                                                    		high
                                                                                                    https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv6C63.tmp.7.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/chrome/static/js/main.v2.min.jsbhv6C63.tmp.7.drfalse
                                                                                                        		high
                                                                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhv6C63.tmp.7.drfalse
                                                                                                          		high
                                                                                                          https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9bhv6C63.tmp.7.drfalse
                                                                                                            		high
                                                                                                            http://www.typography.netD9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://fontfabrik.com9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBmbhv6C63.tmp.7.drfalse
                                                                                                              		high
                                                                                                              https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv6C63.tmp.7.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/intl/en_uk/chrome/bhv6C63.tmp.7.drfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhv6C63.tmp.7.drfalse
                                                                                                                    		high
                                                                                                                    https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQNbhv6C63.tmp.7.drfalse
                                                                                                                      		high
                                                                                                                      https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:bhv6C63.tmp.7.drfalse
                                                                                                                        		high
                                                                                                                        http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkMbhv6C63.tmp.7.drfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.fonts.com9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.sandoll.co.kr9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094bhv6C63.tmp.7.drfalse
                                                                                                                            		high
                                                                                                                            https://www.google.com/chrome/static/js/installer.min.jsbhv6C63.tmp.7.drfalse
                                                                                                                              		high
                                                                                                                              https://www.google.com/searchbhv6C63.tmp.7.drfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhv6C63.tmp.7.drfalse
                                                                                                                                  		high
                                                                                                                                  https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJbhv6C63.tmp.7.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.pngbhv6C63.tmp.7.drfalse
                                                                                                                                    		high
                                                                                                                                    https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv6C63.tmp.7.drfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    https://www.google.com/chrome/static/images/homepage/google-beta.pngbhv6C63.tmp.7.drfalse
                                                                                                                                      		high
                                                                                                                                      http://www.msn.com/de-ch/?ocid=iehpbhv6C63.tmp.7.drfalse
                                                                                                                                        		high
                                                                                                                                        http://www.fontbureau.com/designers/cabarga.htmlN9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.founder.com.cn/cn9jV2cBN6cQ.exe, 00000001.00000002.671605673.0000000007282000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000001.00000003.649722154.00000000016CD000.00000004.00000001.sdmp, 9jV2cBN6cQ.exe, 00000001.00000003.649937461.0000000006077000.00000004.00000001.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhv6C63.tmp.7.drfalse
                                                                                                                                            		high
                                                                                                                                            https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.jsbhv6C63.tmp.7.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhv6C63.tmp.7.drfalse
                                                                                                                                              		high
                                                                                                                                              http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgbhv6C63.tmp.7.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsvbc.exe, 00000007.00000002.693157801.000000000093E000.00000004.00000040.sdmp, vbc.exe, 00000007.00000003.691603469.0000000002718000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://support.google.com/accounts/answer/151657bhv6C63.tmp.7.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370ebhv6C63.tmp.7.drfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.jsbhv6C63.tmp.7.drfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhv6C63.tmp.7.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.pngbhv6C63.tmp.7.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhv6C63.tmp.7.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.google.com/chrome/static/images/chrome-logo.svgbhv6C63.tmp.7.drfalse
                                                                                                                                                          		high

                                                                                                                                                          Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          66.70.204.222
                                                                                                                                                          		ftp.vn-gpack.orgCanada
                                                                                                                                                          		16276OVHFRtrue

                                                                                                                                                          Private

                                                                                                                                                          IP
                                                                                                                                                          192.168.2.1

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                          Analysis ID:489483
                                                                                                                                                          Start date:24.09.2021
                                                                                                                                                          Start time:07:36:13
                                                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 10m 25s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:light
                                                                                                                                                          Sample file name:9jV2cBN6cQ (renamed file extension from none to exe)
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                          Number of analysed new started processes analysed:20
                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • HDC enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal100.phis.troj.spyw.evad.winEXE@7/5@2/2
                                                                                                                                                          EGA Information:Failed
                                                                                                                                                          HDC Information:
                                                                                                                                                          • Successful, ratio: 98.9% (good quality ratio 95.9%)
                                                                                                                                                          • Quality average: 85.6%
                                                                                                                                                          • Quality standard deviation: 23.2%
                                                                                                                                                          HCA Information:
                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                          • Number of executed functions: 0
                                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Adjust boot time
                                                                                                                                                          • Enable AMSI
                                                                                                                                                          Warnings:
                                                                                                                                                          Show All
                                                                                                                                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.49.157.6, 20.54.110.249, 40.112.88.60, 20.82.210.154, 80.67.82.211, 80.67.82.235, 20.82.209.183
                                                                                                                                                          • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, iris-de-ppe-azsc-uks.uksouth.cloudapp.azure.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          TimeTypeDescription
                                                                                                                                                          07:37:08API Interceptor6x Sleep call for process: 9jV2cBN6cQ.exe modified

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          66.70.204.222Dolmas.xlsm.exeGet hashmaliciousBrowse
                                                                                                                                                          • tesla-com.tk/Awele/SINOPHIL@LOKIRAW_HGiTKz109.bin
                                                                                                                                                          eurobank.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                          • tesla-com.tk/ford/SINOPHIL@LOKIRAW_GCLYOSF135.bin

                                                                                                                                                          Domains

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          ftp.vn-gpack.org300821.PDF.exeGet hashmaliciousBrowse
                                                                                                                                                          • 66.70.204.222

                                                                                                                                                          ASN

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                          OVHFRHSBC94302,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                          • 51.254.53.102
                                                                                                                                                          ZamCfP5Dev.exeGet hashmaliciousBrowse
                                                                                                                                                          • 178.32.120.127
                                                                                                                                                          zuyrzhibfm.exeGet hashmaliciousBrowse
                                                                                                                                                          • 188.165.222.221
                                                                                                                                                          INV, BL, PL.exeGet hashmaliciousBrowse
                                                                                                                                                          • 94.23.48.114
                                                                                                                                                          b3astmode.x86Get hashmaliciousBrowse
                                                                                                                                                          • 37.59.48.250
                                                                                                                                                          b3astmode.armGet hashmaliciousBrowse
                                                                                                                                                          • 51.83.43.58
                                                                                                                                                          New Order.docGet hashmaliciousBrowse
                                                                                                                                                          • 164.132.171.176
                                                                                                                                                          2xgbTybbdXGet hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          qri9CgHh4MGet hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          eerjoaAQC2Get hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          fuckjewishpeople.mpslGet hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          fuckjewishpeople.mipsGet hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          fuckjewishpeople.arm7Get hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          fuckjewishpeople.x86Get hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          fuckjewishpeople.arm5Get hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          fuckjewishpeople.arm4Get hashmaliciousBrowse
                                                                                                                                                          • 51.222.234.64
                                                                                                                                                          VwszKgEB99.exeGet hashmaliciousBrowse
                                                                                                                                                          • 188.165.222.221
                                                                                                                                                          SYsObQNkC1.exeGet hashmaliciousBrowse
                                                                                                                                                          • 51.89.100.136
                                                                                                                                                          New Order Specifications Pdf.exeGet hashmaliciousBrowse
                                                                                                                                                          • 51.81.56.51
                                                                                                                                                          ak0joqnVCZ.exeGet hashmaliciousBrowse
                                                                                                                                                          • 192.99.131.252

                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                          No context

                                                                                                                                                          Dropped Files

                                                                                                                                                          No context

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9jV2cBN6cQ.exe.log
                                                                                                                                                          Process:C:\Users\user\Desktop\9jV2cBN6cQ.exe
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1216
                                                                                                                                                          Entropy (8bit):5.355304211458859
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                                                                                                          MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                                                                                                          SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                                                                                                          SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                                                                                                          SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                                                                                                          Malicious:true
                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                                                                          C:\Users\user\AppData\Local\Temp\bhv6C63.tmp
                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xe0a9ace6, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):30408704
                                                                                                                                                          Entropy (8bit):1.0887524045390116
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:xpy/YflH6N2gt8HVmyrqw781LfXy7R4aUpPX7Cr6f63rsLOZ:j1flH6N2iyrsrO
                                                                                                                                                          MD5:4F2DD471D3B2E63DED4C30D7B8130155
                                                                                                                                                          SHA1:DDA6F9E1763F27E1419383F1A2C6FE77B7A6FF1F
                                                                                                                                                          SHA-256:8EFF1816D2E0C0DFCA195F2D00C3BA898CE546BD520277455A7625AE56104EDF
                                                                                                                                                          SHA-512:1AE697BEABA27D21089089A7B8F74087E3DF145EDAE7F450EA98327901D0091D9A3FC516D8879DD382240B817CF7E367E11B3B48C1432AD45EF6E5461B4F9BDE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: ..... ........?......_e..*....w......................^.8.....:#...xc.0$...y..h.:.........................b...*....w..............................................................................................{............B.................................................................................................................. .......2$...y......................................................................................................................................................................................................................................._._.%...y'.................5..7.%...y).........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                          C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                                                                                          Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                          File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):2
                                                                                                                                                          Entropy (8bit):1.0
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Qn:Qn
                                                                                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                          Preview: ..
                                                                                                                                                          C:\Users\user\AppData\Roaming\pid.txt
                                                                                                                                                          Process:C:\Users\user\Desktop\9jV2cBN6cQ.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):4
                                                                                                                                                          Entropy (8bit):1.5
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:F:F
                                                                                                                                                          MD5:FD272FE04B7D4E68EFFD01BDDCC6BB34
                                                                                                                                                          SHA1:403667553498DF159BDD52AF68CCF072F564FCC0
                                                                                                                                                          SHA-256:15811BD57B46D0025F3A839BB785419C90F4F22518025A487979085DA2C6A189
                                                                                                                                                          SHA-512:4329260A721F5A9AC58F608E4A4DAE1B443E5DBC41D6DDF02E37E7F8ABB292490626A6FDE5646D0F67AFB92C2EF295155C279297855BAE82A02A1C15DEA5803E
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: 4240
                                                                                                                                                          C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                                                                                          Process:C:\Users\user\Desktop\9jV2cBN6cQ.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):37
                                                                                                                                                          Entropy (8bit):4.301084704157686
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:oNt+WfWcjwDLNn:oNwvcjULN
                                                                                                                                                          MD5:AB856F9007C1F896B09F99AFE43E4AA9
                                                                                                                                                          SHA1:696D6602810AFF8669396217A56DA37B2AEE5277
                                                                                                                                                          SHA-256:2FA5A88044C2630B0D5C309A5F0CA2A4BBEEC513FF2E77A0648F731C20731DF5
                                                                                                                                                          SHA-512:2739144A2E99DEDA988D45F754175626E4BF3A960FA67BCD1B434F73DCED4441B88B3CBF57ACD963470098B59F105F3F8BD13E561F7575FB04C5C7C875B1B440
                                                                                                                                                          Malicious:false
                                                                                                                                                          Reputation:low
                                                                                                                                                          Preview: C:\Users\user\Desktop\9jV2cBN6cQ.exe

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                          Entropy (8bit):7.493273717830563
                                                                                                                                                          TrID:
                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                          File name:9jV2cBN6cQ.exe
                                                                                                                                                          File size:1154560
                                                                                                                                                          MD5:b105bec27851dabe21e1cf1c56bfda0e
                                                                                                                                                          SHA1:f822c5a33d94cbea0f69ce327257420b33b0d552
                                                                                                                                                          SHA256:ed133e3bc6f781c4a981f93c180e38c70572ad80e48c12294585767e583b9d0f
                                                                                                                                                          SHA512:aecaed590d316f3a762b97499bcbd62d0d59f31404a171b9f8daeff2dcc70726886fb652f1d96f257e2ab63c64f9a2b32b69d868836114a526b39e0b9b6c710c
                                                                                                                                                          SSDEEP:12288:6sbxvLuoLXS7P2qGuV3uZlaDVEPWN53QwvJH4vNiCmLJ1GcyQizeVzhst:Vi+qDVeZlaDkWHgwq9uXiQzhst
                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d$a............................~.... ........@.. ....................................@................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:00828e8e8686b000

                                                                                                                                                          Static PE Info

                                                                                                                                                          General

                                                                                                                                                          Entrypoint:0x51b37e
                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                          Digitally signed:false
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                          Time Stamp:0x612464B2 [Tue Aug 24 03:17:06 2021 UTC]
                                                                                                                                                          TLS Callbacks:
                                                                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                                                                          OS Version Major:4
                                                                                                                                                          OS Version Minor:0
                                                                                                                                                          File Version Major:4
                                                                                                                                                          File Version Minor:0
                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                          Entrypoint Preview

                                                                                                                                                          Instruction
                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al

                                                                                                                                                          Data Directories

                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x11b3280x53.text
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x11c0000x600.rsrc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000xc.reloc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                          Sections

                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                          .text0x20000x1193840x119400False0.811327256944data7.49843619507IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                          .rsrc0x11c0000x6000x600False0.430989583333data4.15453923293IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .reloc0x11e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                          Resources

                                                                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                                                                          RT_VERSION0x11c0900x34cdata
                                                                                                                                                          RT_MANIFEST0x11c3ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                          Imports

                                                                                                                                                          DLLImport
                                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                                          Version Infos

                                                                                                                                                          DescriptionData
                                                                                                                                                          Translation0x0000 0x04b0
                                                                                                                                                          LegalCopyrightCopyright 2020 - 2021
                                                                                                                                                          Assembly Version1.0.0.0
                                                                                                                                                          InternalNameCharUnicodeIn.exe
                                                                                                                                                          FileVersion1.0.0.0
                                                                                                                                                          CompanyName
                                                                                                                                                          LegalTrademarks
                                                                                                                                                          Comments
                                                                                                                                                          ProductNameMaze Creator
                                                                                                                                                          ProductVersion1.0.0.0
                                                                                                                                                          FileDescriptionMaze Creator
                                                                                                                                                          OriginalFilenameCharUnicodeIn.exe

                                                                                                                                                          Network Behavior

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Sep 24, 2021 07:37:29.095865965 CEST4975721192.168.2.466.70.204.222
                                                                                                                                                          Sep 24, 2021 07:37:29.202817917 CEST214975766.70.204.222192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:29.203041077 CEST4975721192.168.2.466.70.204.222
                                                                                                                                                          Sep 24, 2021 07:37:29.309921980 CEST214975766.70.204.222192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:29.310753107 CEST4975721192.168.2.466.70.204.222
                                                                                                                                                          Sep 24, 2021 07:37:29.416963100 CEST214975766.70.204.222192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:29.417004108 CEST214975766.70.204.222192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:29.417340040 CEST4975721192.168.2.466.70.204.222
                                                                                                                                                          Sep 24, 2021 07:37:29.543555975 CEST214975766.70.204.222192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:29.543709040 CEST214975766.70.204.222192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:29.543852091 CEST4975721192.168.2.466.70.204.222
                                                                                                                                                          Sep 24, 2021 07:37:29.549218893 CEST4975721192.168.2.466.70.204.222
                                                                                                                                                          Sep 24, 2021 07:37:29.656449080 CEST214975766.70.204.222192.168.2.4

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          Sep 24, 2021 07:36:55.765113115 CEST5912353192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:36:55.786003113 CEST53591238.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:12.394850016 CEST5453153192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:12.414520025 CEST53545318.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:28.369875908 CEST4971453192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:28.390130043 CEST53497148.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:29.016794920 CEST5802853192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:29.079749107 CEST53580288.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:45.607337952 CEST5309753192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:45.627216101 CEST53530978.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:46.222497940 CEST4925753192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:46.240313053 CEST53492578.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:46.709433079 CEST6238953192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:46.729104042 CEST53623898.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:47.104373932 CEST4991053192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:47.122246027 CEST53499108.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:47.180658102 CEST5585453192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:47.207988024 CEST53558548.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:47.578228951 CEST6454953192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:47.597986937 CEST53645498.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:48.073757887 CEST6315353192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:48.091635942 CEST53631538.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:48.531852961 CEST5299153192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:48.551832914 CEST53529918.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:49.232863903 CEST5370053192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:49.254405022 CEST53537008.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:49.974829912 CEST5172653192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:50.007783890 CEST53517268.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:37:50.416419029 CEST5679453192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:37:50.436039925 CEST53567948.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:38:02.705089092 CEST5653453192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:38:02.714477062 CEST5662753192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:38:02.742063046 CEST53566278.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:38:02.744426966 CEST53565348.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:38:05.740559101 CEST5662153192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:38:05.761487007 CEST53566218.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:38:36.758479118 CEST6311653192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:38:36.792871952 CEST53631168.8.8.8192.168.2.4
                                                                                                                                                          Sep 24, 2021 07:38:37.651041031 CEST6407853192.168.2.48.8.8.8
                                                                                                                                                          Sep 24, 2021 07:38:37.671205997 CEST53640788.8.8.8192.168.2.4

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                          Sep 24, 2021 07:37:12.394850016 CEST192.168.2.48.8.8.80xc13cStandard query (0)90.168.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                                                          Sep 24, 2021 07:37:29.016794920 CEST192.168.2.48.8.8.80x9d65Standard query (0)ftp.vn-gpack.orgA (IP address)IN (0x0001)

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                          Sep 24, 2021 07:37:12.414520025 CEST8.8.8.8192.168.2.40xc13cName error (3)90.168.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                                                          Sep 24, 2021 07:37:29.079749107 CEST8.8.8.8192.168.2.40x9d65No error (0)ftp.vn-gpack.org66.70.204.222A (IP address)IN (0x0001)

                                                                                                                                                          FTP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                          Sep 24, 2021 07:37:29.309921980 CEST214975766.70.204.222192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                                                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                                                                                                                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 09:37. Server port: 21.
                                                                                                                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 09:37. Server port: 21.220-This is a private system - No anonymous login
                                                                                                                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 09:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                                                                                          220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 09:37. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                                                                                          Sep 24, 2021 07:37:29.310753107 CEST4975721192.168.2.466.70.204.222USER Lloggoss123@vn-gpack.org
                                                                                                                                                          Sep 24, 2021 07:37:29.417004108 CEST214975766.70.204.222192.168.2.4331 User Lloggoss123@vn-gpack.org OK. Password required
                                                                                                                                                          Sep 24, 2021 07:37:29.417340040 CEST4975721192.168.2.466.70.204.222PASS Xpen2000
                                                                                                                                                          Sep 24, 2021 07:37:29.543555975 CEST214975766.70.204.222192.168.2.4421 Home directory not available - aborting

                                                                                                                                                          Code Manipulations

                                                                                                                                                          Statistics

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          Analysis Process: 9jV2cBN6cQ.exe PID: 6968 Parent PID: 6488

                                                                                                                                                          General

                                                                                                                                                          Start time:07:37:00
                                                                                                                                                          Start date:24/09/2021
                                                                                                                                                          Path:C:\Users\user\Desktop\9jV2cBN6cQ.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:'C:\Users\user\Desktop\9jV2cBN6cQ.exe'
                                                                                                                                                          Imagebase:0xb10000
                                                                                                                                                          File size:1154560 bytes
                                                                                                                                                          MD5 hash:B105BEC27851DABE21E1CF1C56BFDA0E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.664391602.0000000003079000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.669409810.0000000004ED7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000001.00000002.672553798.0000000009A31000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          Reputation:low

                                                                                                                                                          Analysis Process: 9jV2cBN6cQ.exe PID: 4240 Parent PID: 6968

                                                                                                                                                          General

                                                                                                                                                          Start time:07:37:09
                                                                                                                                                          Start date:24/09/2021
                                                                                                                                                          Path:C:\Users\user\Desktop\9jV2cBN6cQ.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Users\user\Desktop\9jV2cBN6cQ.exe
                                                                                                                                                          Imagebase:0x710000
                                                                                                                                                          File size:1154560 bytes
                                                                                                                                                          MD5 hash:B105BEC27851DABE21E1CF1C56BFDA0E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:.Net C# or VB.NET
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.915272981.0000000007160000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                          • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.915336004.0000000007320000.00000004.00020000.sdmp, Author: Arnim Rupp
                                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.914204338.0000000003B21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.914204338.0000000003B21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.912588772.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.913535799.0000000002B21000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                          Reputation:low

                                                                                                                                                          Analysis Process: vbc.exe PID: 6444 Parent PID: 4240

                                                                                                                                                          General

                                                                                                                                                          Start time:07:37:18
                                                                                                                                                          Start date:24/09/2021
                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          File size:1171592 bytes
                                                                                                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.684007490.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:high

                                                                                                                                                          Analysis Process: vbc.exe PID: 6436 Parent PID: 4240

                                                                                                                                                          General

                                                                                                                                                          Start time:07:37:18
                                                                                                                                                          Start date:24/09/2021
                                                                                                                                                          Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          File size:1171592 bytes
                                                                                                                                                          MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.692945681.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:high

                                                                                                                                                          Disassembly

                                                                                                                                                          Code Analysis

                                                                                                                                                          Reset < >