Windows Analysis Report SecuriteInfo.com.Trojan.AutoIt.316.10986.27538

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.AutoIt.316.10986.27538 (renamed file extension from 27538 to exe)
Analysis ID: 537823
MD5: 52d4245d65d5cc2da05298c480ffcc5f
SHA1: b2ecf335eb93feba2cf923419e70d7b6cff79061
SHA256: 70ef3c88a90dd590de9a0ac4634b5017f35ea6dedec14f3cc3b5d9eeb3ca84a2
Tags: exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Binary is likely a compiled AutoIt script file
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
Contains functionality to inject code into remote processes
AutoIt script contains suspicious strings
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Virustotal: Detection: 69% Perma Link
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe ReversingLabs: Detection: 77%
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Avira: detected
Multi AV Scanner detection for domain / URL
Source: https://a.pomf.cat/ Virustotal: Detection: 7% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.RegAsm.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 1.0.RegAsm.exe.400000.1.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, RegAsm.exe, 00000001.00000002.518219732.00000000033CE000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 3_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 3_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 19_2_0040702D
Source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000003.00000003.272406112.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272930128.0000000002276000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 00000003.00000003.272406112.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272930128.0000000002276000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 00000003.00000003.272466094.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272267700.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272428649.0000000002276000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 00000003.00000003.272466094.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272267700.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272428649.0000000002276000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv4453.tmp.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: bhv4453.tmp.3.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv4453.tmp.3.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv4453.tmp.3.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv4453.tmp.3.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N
Source: bhv4453.tmp.3.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: bhv4453.tmp.3.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
Source: bhv4453.tmp.3.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv4453.tmp.3.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv4453.tmp.3.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv4453.tmp.3.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, RegAsm.exe, 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: bhv4453.tmp.3.dr String found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr String found in binary or memory: http://www.msn.com
Source: bhv4453.tmp.3.dr String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000003.00000003.270439604.000000000227A000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.270303506.0000000002276000.00000004.00000001.sdmp, bhv4453.tmp.3.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv4453.tmp.3.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv4453.tmp.3.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 00000003.00000002.273144244.000000000019C000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhv4453.tmp.3.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, bhv4453.tmp.3.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: bhv4453.tmp.3.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: bhv4453.tmp.3.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, bhv4453.tmp.3.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: bhv4453.tmp.3.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv4453.tmp.3.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv4453.tmp.3.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv4453.tmp.3.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://contextual.media.net/
Source: bhv4453.tmp.3.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv4453.tmp.3.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000003.00000003.272251788.00000000028BB000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.medi
Source: vbc.exe, 00000003.00000003.269966059.000000000226E000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.270109165.0000000002276000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 00000003.00000002.273357379.0000000002848000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phpm
Source: bhv4453.tmp.3.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 00000003.00000003.269966059.000000000226E000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.270109165.0000000002276000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhv4453.tmp.3.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv4453.tmp.3.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9
Source: bhv4453.tmp.3.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: bhv4453.tmp.3.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv4453.tmp.3.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: bhv4453.tmp.3.dr String found in binary or memory: https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9
Source: bhv4453.tmp.3.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv4453.tmp.3.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv4453.tmp.3.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: bhv4453.tmp.3.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv4453.tmp.3.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv4453.tmp.3.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv4453.tmp.3.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv4453.tmp.3.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv4453.tmp.3.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv4453.tmp.3.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv4453.tmp.3.dr String found in binary or memory: https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv4453.tmp.3.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, bhv4453.tmp.3.dr String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 00000003.00000003.272251788.00000000028BB000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.273357379.0000000002848000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.269966059.000000000226E000.00000004.00000001.sdmp, bhv4453.tmp.3.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv4453.tmp.3.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv4453.tmp.3.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv4453.tmp.3.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv4453.tmp.3.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv4453.tmp.3.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhv4453.tmp.3.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv4453.tmp.3.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv4453.tmp.3.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv4453.tmp.3.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=299872286.1601476511
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv4453.tmp.3.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D8CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00D8CDAC
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D02344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00D02344
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040F078 OpenClipboard,GetLastError,DeleteFileW, 3_2_0040F078

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 19.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a9b8f2.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a9b8f2.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.522834a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a435a8.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a435a8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RegAsm.exe.51d0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.51d0345.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.522834a.3.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6d55bd0.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6df1c10.4.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6df1c10.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a438ed.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RegAsm.exe.51d0000.2.unpack, type: UNPACKEDPE Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000000.401896100.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000000.402276978.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Binary is likely a compiled AutoIt script file
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000000.246789907.0000000000DB5000.00000002.00020000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000000.246789907.0000000000DB5000.00000002.00020000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
AutoIt script contains suspicious strings
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe AutoIt Script: $PROTECT ) LOCAL $BIN_SHELLCODE = REQ_TCJHAHVFDQURV
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe AutoIt Script: QMFVRQNV () LOCAL $LPSHELLCODE = DLLCALL (PNBIRNHK
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe AutoIt Script: ILE ) LOCAL $RET = DLLCALLADDRESS (MLHTVAHGQBSHGBCHDS
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
Yara signature match
Source: 19.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a9b8f2.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a9b8f2.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.522834a.3.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a435a8.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a435a8.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RegAsm.exe.51d0000.2.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.51d0345.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.522834a.3.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6d55bd0.5.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6df1c10.4.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6df1c10.4.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a438ed.1.raw.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RegAsm.exe.51d0000.2.unpack, type: UNPACKEDPE Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000000.401896100.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000000.402276978.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp, type: MEMORY Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, type: MEMORY Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D0E060 0_2_00D0E060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D0E800 0_2_00D0E800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D0FE40 0_2_00D0FE40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D16843 0_2_00D16843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D8804A 0_2_00D8804A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D37006 0_2_00D37006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D1710E 0_2_00D1710E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D36522 0_2_00D36522
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D216C4 0_2_00D216C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D01287 0_2_00D01287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D18A0E 0_2_00D18A0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D2BFE6 0_2_00D2BFE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D2DBB5 0_2_00D2DBB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E634D0 1_2_02E634D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E60801 1_2_02E60801
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E6A1E3 1_2_02E6A1E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E65588 1_2_02E65588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E68B90 1_2_02E68B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E64998 1_2_02E64998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E6A798 1_2_02E6A798
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E61D2A 1_2_02E61D2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E67F10 1_2_02E67F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E67518 1_2_02E67518
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E638B7 1_2_02E638B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63AB4 1_2_02E63AB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E608B0 1_2_02E608B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E65880 1_2_02E65880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E6388B 1_2_02E6388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E65890 1_2_02E65890
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E6369C 1_2_02E6369C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63868 1_2_02E63868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63A77 1_2_02E63A77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63671 1_2_02E63671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E66A23 1_2_02E66A23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63A3A 1_2_02E63A3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E68439 1_2_02E68439
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63C00 1_2_02E63C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63E00 1_2_02E63E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E60816 1_2_02E60816
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63217 1_2_02E63217
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E6361B 1_2_02E6361B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63218 1_2_02E63218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E637FA 1_2_02E637FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E645C0 1_2_02E645C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E639DA 1_2_02E639DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E641D8 1_2_02E641D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E64DA1 1_2_02E64DA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E64DB0 1_2_02E64DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E637B8 1_2_02E637B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63B85 1_2_02E63B85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63580 1_2_02E63580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E68B80 1_2_02E68B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63B62 1_2_02E63B62
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E65768 1_2_02E65768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63777 1_2_02E63777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63744 1_2_02E63744
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E62721 1_2_02E62721
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E62730 1_2_02E62730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E66D30 1_2_02E66D30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E67F00 1_2_02E67F00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63B0F 1_2_02E63B0F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E6390D 1_2_02E6390D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E67508 1_2_02E67508
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E63711 1_2_02E63711
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0044900F 3_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_004042EB 3_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00414281 3_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00410291 3_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_004063BB 3_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00415624 3_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0041668D 3_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040477F 3_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040487C 3_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0043589B 3_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0043BA9D 3_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0043FBD3 3_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_00404DE5 19_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_00404E56 19_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_00404EC7 19_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_00404F58 19_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_0040BF6B 19_2_0040BF6B
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00415F19 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0044468C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004162C2 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00444B90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 0041607A appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004083D6 appears 32 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E6ACC8 NtUnmapViewOfSection,NtUnmapViewOfSection, 1_2_02E6ACC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 3_2_0040978A
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.316.10986.exe
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.316.10986.exe
PE file contains strange resources
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Virustotal: Detection: 69%
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe ReversingLabs: Detection: 77%
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBCAF.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBBC1.tmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBCAF.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBBC1.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\78ede25b-fb90-6791-1ca9-e1fd644b6d85 Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@7/3@0/0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 3_2_00418073
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.0.RegAsm.exe.400000.1.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.0.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D6A2D5 GetLastError,FormatMessageW, 0_2_00D6A2D5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D63E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00D63E91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Mutant created: \Sessions\1\BaseNamedObjects\AppVStreamingUX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\2abee00b-b3e0-47a1-983b-d279e54487e7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource, 3_2_004141E0
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static file information: File size 2135040 > 1048576
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x13ee00
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp
Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, RegAsm.exe, 00000001.00000002.518219732.00000000033CE000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D28B85 push ecx; ret 0_2_00D28B98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_01289127 push ebp; retf 1_2_0128913D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E62FA5 push ss; retf 1_2_02E62FA6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Code function: 1_2_02E62F1C push ss; retf 1_2_02E62F1D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00444975 push ecx; ret 3_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00444B90 push eax; ret 3_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00444B90 push eax; ret 3_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00448E74 push eax; ret 3_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0042CF44 push ebx; retf 0042h 3_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_00412341 push ecx; ret 19_2_00412351
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_00412360 push eax; ret 19_2_00412374
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_00412360 push eax; ret 19_2_0041239C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D04C95 LoadLibraryA,GetProcAddress, 0_2_00D04C95
PE file contains an invalid checksum
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Static PE information: real checksum: 0xf519f should be: 0x214037

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00D04A35
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00443A61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5784 Thread sleep count: 206 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5784 Thread sleep time: -206000s >= -30000s Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 3_2_0040978A
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00D04AFE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen, 3_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00408CAC FindFirstFileW,FindNextFileW,FindClose, 3_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen, 19_2_0040702D

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D35CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00D35CCC
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle, 3_2_0040978A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D35CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00D35CCC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D04C95 LoadLibraryA,GetProcAddress, 0_2_00D04C95
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_3_00CF00BE mov esi, dword ptr fs:[00000030h] 0_3_00CF00BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_3_00CF00BE mov esi, dword ptr fs:[00000030h] 0_3_00CF00BE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D2A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00D2A395

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: C65008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 2C6008 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3D2008 Jump to behavior
.NET source code references suspicious native API functions
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_3_00CF00BE CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread, 0_3_00CF00BE
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D04A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00D04A35
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBCAF.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBBC1.tmp Jump to behavior
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, RegAsm.exe, 00000001.00000002.515744760.0000000001750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000001.00000002.515744760.0000000001750000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000001.00000002.515744760.0000000001750000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: RegAsm.exe, 00000001.00000002.515744760.0000000001750000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: RegAsm.exe, 00000001.00000002.515744760.0000000001750000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00D350D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe Code function: 0_2_00D04AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00D04AFE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 19_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 19_2_004073B6

Stealing of Sensitive Information:

barindex
Yara detected MailPassView
Source: Yara match File source: 19.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a9b8f2.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a9b8f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.522834a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a435a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a435a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.51d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.51d0345.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.522834a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.6d55bd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.6df1c10.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.6df1c10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a438ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.51d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.401896100.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000000.402276978.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518219732.00000000033CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 5964, type: MEMORYSTR
Yara detected HawkEye Keylogger
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 19_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 19_2_00402D74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 19_2_004033B1
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 3.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a435a8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a435a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.51d0345.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.51d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.51d0345.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.6d55bd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a438ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.RegAsm.exe.4a438ed.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.6d55bd0.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegAsm.exe.51d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.262035406.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.261098528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 4484, type: MEMORYSTR
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR
Detected HawkEye Rat
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 537823 Sample: SecuriteInfo.com.Trojan.Aut... Startdate: 10/12/2021 Architecture: WINDOWS Score: 100 18 Multi AV Scanner detection for domain / URL 2->18 20 Malicious sample detected (through community Yara rule) 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 10 other signatures 2->24 7 SecuriteInfo.com.Trojan.AutoIt.316.10986.exe 2->7         started        process3 signatures4 26 Contains functionality to inject code into remote processes 7->26 28 Writes to foreign memory regions 7->28 30 Allocates memory in foreign processes 7->30 32 Injects a PE file into a foreign processes 7->32 10 RegAsm.exe 5 7->10         started        process5 signatures6 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->34 36 Writes to foreign memory regions 10->36 38 Allocates memory in foreign processes 10->38 40 2 other signatures 10->40 13 vbc.exe 1 10->13         started        16 vbc.exe 10->16         started        process7 signatures8 42 Tries to steal Mail credentials (via file registry) 13->42 44 Tries to harvest and steal browser information (history, passwords, etc) 13->44 46 Tries to steal Instant Messenger accounts or passwords 16->46 48 Tries to steal Mail credentials (via file / registry access) 16->48
No contacted IP infos