Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Trojan.AutoIt.316.10986.27538

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.AutoIt.316.10986.27538 (renamed file extension from 27538 to exe)
Analysis ID:	537823
MD5:	52d4245d65d5cc2da05298c480ffcc5f
SHA1:	b2ecf335eb93feba2cf923419e70d7b6cff79061
SHA256:	70ef3c88a90dd590de9a0ac4634b5017f35ea6dedec14f3cc3b5d9eeb3ca84a2
Tags:	exeHawkEye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Multi AV Scanner detection for domain / URL

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file registry)

Binary is likely a compiled AutoIt script file

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Yara detected WebBrowserPassView password recovery tool

Contains functionality to inject code into remote processes

AutoIt script contains suspicious strings

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to read the PEB

Potential key logger detected (key state polling based)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.AutoIt.316.10986.exe (PID: 4720 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe" MD5: 52D4245D65D5CC2DA05298C480FFCC5F)

RegAsm.exe (PID: 5908 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)

vbc.exe (PID: 4484 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBCAF.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 5964 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBBC1.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c4e:$s1: HawkEye Keylogger 0x87cb7:$s1: HawkEye Keylogger 0x81091:$s2: _ScreenshotLogger 0x8105e:$s3: _PasswordStealer
00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000000.262035406.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000003.00000000.261098528.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000013.00000000.401896100.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000013.00000000.401896100.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87a2e:$s1: HawkEye Keylogger 0x87a97:$s1: HawkEye Keylogger 0x80e71:$s2: _ScreenshotLogger 0x80e3e:$s3: _PasswordStealer
00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000013.00000000.402276978.0000000000400000.00000040.00000001.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
00000013.00000000.402276978.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x8f454:$s1: HawkEye Keylogger 0x8e558:$s2: _ScreenshotLogger 0x8eaa4:$s2: _ScreenshotLogger 0x8e525:$s3: _PasswordStealer 0x8ea71:$s3: _PasswordStealer
00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87a2e:$s1: HawkEye Keylogger 0x87a97:$s1: HawkEye Keylogger 0x80e71:$s2: _ScreenshotLogger 0x80e3e:$s3: _PasswordStealer
00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87a2e:$s1: HawkEye Keylogger 0x87a97:$s1: HawkEye Keylogger 0x80e71:$s2: _ScreenshotLogger 0x80e3e:$s3: _PasswordStealer
00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87a2e:$s1: HawkEye Keylogger 0x87a97:$s1: HawkEye Keylogger 0x80e71:$s2: _ScreenshotLogger 0x80e3e:$s3: _PasswordStealer
00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b4fa:$a1: logins.json 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6bc7e:$s4: \mozsqlite3.dll 0x6a4ee:$s5: SMTP Password
00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.518219732.00000000033CE000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x1ba906:$s2: _ScreenshotLogger 0x2a8751:$s2: _ScreenshotLogger 0x1ba8d3:$s3: _PasswordStealer 0x2a871e:$s3: _PasswordStealer
Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: RegAsm.exe PID: 5908	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x23f7e:$s2: _ScreenshotLogger 0x2dc22:$s2: _ScreenshotLogger 0x494ff:$s2: _ScreenshotLogger 0x23f4b:$s3: _PasswordStealer 0x2dbef:$s3: _PasswordStealer 0x494cc:$s3: _PasswordStealer
Process Memory Space: RegAsm.exe PID: 5908	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5908	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: RegAsm.exe PID: 5908	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: RegAsm.exe PID: 5908	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 4484	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 5964	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.0.vbc.exe.400000.4.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.0.vbc.exe.400000.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.3.RegAsm.exe.4a9b8f2.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x11bb0:$a1: logins.json 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x12334:$s4: \mozsqlite3.dll 0x115a4:$s5: SMTP Password
1.3.RegAsm.exe.4a9b8f2.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.0.vbc.exe.400000.3.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
19.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.0.vbc.exe.400000.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.3.RegAsm.exe.4a9b8f2.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
1.3.RegAsm.exe.4a9b8f2.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.0.vbc.exe.400000.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.RegAsm.exe.522834a.3.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
1.2.RegAsm.exe.522834a.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
19.0.vbc.exe.400000.2.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
19.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.3.RegAsm.exe.4a435a8.2.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x696fa:$a1: logins.json 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x69e7e:$s4: \mozsqlite3.dll 0x686ee:$s5: SMTP Password
1.3.RegAsm.exe.4a435a8.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.3.RegAsm.exe.4a435a8.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
19.0.vbc.exe.400000.5.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.0.vbc.exe.400000.5.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.0.vbc.exe.400000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.0.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.0.vbc.exe.400000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
19.0.vbc.exe.400000.1.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.0.vbc.exe.400000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
19.0.vbc.exe.400000.2.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.0.vbc.exe.400000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.2.vbc.exe.400000.0.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
19.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.3.RegAsm.exe.4a435a8.2.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b4fa:$a1: logins.json 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6bc7e:$s4: \mozsqlite3.dll 0x6a4ee:$s5: SMTP Password
1.3.RegAsm.exe.4a435a8.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.3.RegAsm.exe.4a435a8.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
19.2.vbc.exe.400000.0.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.51d0345.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
3.0.vbc.exe.400000.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
3.0.vbc.exe.400000.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.RegAsm.exe.400000.0.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
1.2.RegAsm.exe.400000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x87601:$name: ConfuserEx 0x8630e:$compile: AssemblyTitle
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.RegAsm.exe.400000.0.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
1.0.RegAsm.exe.400000.0.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
1.0.RegAsm.exe.400000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x87601:$name: ConfuserEx 0x8630e:$compile: AssemblyTitle
1.0.RegAsm.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.0.RegAsm.exe.400000.0.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
1.2.RegAsm.exe.51d0000.2.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b4fa:$a1: logins.json 0x6b45a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6bc7e:$s4: \mozsqlite3.dll 0x6a4ee:$s5: SMTP Password
1.2.RegAsm.exe.51d0000.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.51d0000.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.RegAsm.exe.51d0345.1.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b1b5:$a1: logins.json 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6b939:$s4: \mozsqlite3.dll 0x6a1a9:$s5: SMTP Password
1.2.RegAsm.exe.51d0345.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.51d0345.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
3.0.vbc.exe.400000.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.RegAsm.exe.522834a.3.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x11bb0:$a1: logins.json 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x12334:$s4: \mozsqlite3.dll 0x115a4:$s5: SMTP Password
1.2.RegAsm.exe.522834a.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.0.vbc.exe.400000.3.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
19.0.vbc.exe.400000.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.6d55bd0.5.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0xaf1f0:$a1: logins.json 0xaf150:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0xaf974:$s4: \mozsqlite3.dll 0xae1e4:$s5: SMTP Password
1.2.RegAsm.exe.6d55bd0.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.6d55bd0.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x87601:$name: ConfuserEx 0x8630e:$compile: AssemblyTitle
0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
19.0.vbc.exe.400000.5.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
19.0.vbc.exe.400000.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
19.0.vbc.exe.400000.4.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x147b0:$a1: logins.json 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x14f34:$s4: \mozsqlite3.dll 0x137a4:$s5: SMTP Password
19.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.0.vbc.exe.400000.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.RegAsm.exe.6df1c10.4.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x11bb0:$a1: logins.json 0x11b10:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x12334:$s4: \mozsqlite3.dll 0x115a4:$s5: SMTP Password
1.2.RegAsm.exe.6df1c10.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.6df1c10.4.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x131b0:$a1: logins.json 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x13934:$s4: \mozsqlite3.dll 0x121a4:$s5: SMTP Password
1.2.RegAsm.exe.6df1c10.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.0.vbc.exe.400000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.3.RegAsm.exe.4a438ed.1.raw.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x6b1b5:$a1: logins.json 0x6b115:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x6b939:$s4: \mozsqlite3.dll 0x6a1a9:$s5: SMTP Password
1.3.RegAsm.exe.4a438ed.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.3.RegAsm.exe.4a438ed.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.3.RegAsm.exe.4a438ed.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.0.RegAsm.exe.400000.1.unpack	MAL_HawkEye_Keylogger_Gen_Dec18	Detects HawkEye Keylogger Reborn	Florian Roth	0x87c2e:$s1: HawkEye Keylogger 0x87c97:$s1: HawkEye Keylogger 0x81071:$s2: _ScreenshotLogger 0x8103e:$s3: _PasswordStealer
1.0.RegAsm.exe.400000.1.unpack	SUSP_NET_NAME_ConfuserEx	Detects ConfuserEx packed file	Arnim Rupp	0x87601:$name: ConfuserEx 0x8630e:$compile: AssemblyTitle
1.0.RegAsm.exe.400000.1.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.0.RegAsm.exe.400000.1.unpack	HawkEyev9	HawkEye v9 Payload	ditekshen	0x87c2e:$id1: HawkEye Keylogger - Reborn v9 - {0} Logs - {1} \ {2} 0x87c97:$id2: HawkEye Keylogger - Reborn v9{0}{1} Logs{0}{2} \ {3}{0}{0}{4} 0x8103e:$str1: _PasswordStealer 0x8104f:$str2: _KeyStrokeLogger 0x81071:$str3: _ScreenshotLogger 0x81060:$str4: _ClipboardLogger 0x81083:$str5: _WebCamLogger 0x81198:$str6: _AntiVirusKiller 0x81186:$str7: _ProcessElevation 0x8114d:$str8: _DisableCommandPrompt 0x81253:$str9: _WebsiteBlocker 0x81263:$str9: _WebsiteBlocker 0x81139:$str10: _DisableTaskManager 0x811b4:$str11: _AntiDebugger 0x8123e:$str12: _WebsiteVisitorSites 0x81163:$str13: _DisableRegEdit 0x811c2:$str14: _ExecutionDelay 0x810e7:$str15: _InstallStartupPersistance
1.2.RegAsm.exe.6d55bd0.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
3.0.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
3.0.vbc.exe.400000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.RegAsm.exe.51d0000.2.unpack	APT_NK_BabyShark_KimJoingRAT_Apr19_1	Detects BabyShark KimJongRAT	Florian Roth	0x696fa:$a1: logins.json 0x6965a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login 0x69e7e:$s4: \mozsqlite3.dll 0x686ee:$s5: SMTP Password
1.2.RegAsm.exe.51d0000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.RegAsm.exe.51d0000.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 83 entries

Sigma Overview

System Summary:

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Show sources

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe" , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, ParentProcessId: 4720, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5908

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe" , ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, ParentProcessId: 4720, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 5908

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Virustotal: Detection: 69%			Perma Link
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	ReversingLabs: Detection: 77%

Antivirus / Scanner detection for submitted sample

Show sources

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Show sources

Source: https://a.pomf.cat/

Virustotal: Detection: 7%

Perma Link

Source: 1.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, RegAsm.exe, 00000001.00000002.518219732.00000000033CE000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	3_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	3_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 19_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,	19_2_0040702D

Source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000001.00000002.519365892.0000000006D51000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.516610948.0000000003292000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.253770360.0000000004A43000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000003.00000003.272406112.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272930128.0000000002276000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 00000003.00000003.272406112.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272930128.0000000002276000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 00000003.00000003.272466094.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272267700.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272428649.0000000002276000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://
Source: vbc.exe, 00000003.00000003.272466094.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272267700.0000000002276000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.272428649.0000000002276000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=5cc75168-41b2-44e1-97be-a6965c7dcef4&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%2241C163740D104A3C92254F8DC4EFA2A6%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttp://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=160&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=5&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=125&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.bing.com/search?q=chrome&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://www.bing.com/orgid/idtoken/nosigninhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852188168;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://

Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0V
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjE4MmE0M2M0MDY3OGU1N2E4MjhkM2NjNDdlNGMzZmNkYjU1N
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImY3MDA1MDJkMTdmZDY0M2VkZTBjNzg5MTE1OWEyYTYxMWRiN
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvrrg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yHSm?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yqHP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://ocsp2.globalsign.com/cloudsslsha2g30V
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, RegAsm.exe, 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, RegAsm.exe, 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://secure.globalsign.com/cacert/cloudsslsha2g3.crt06
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvrrg.img?h=166&w=310
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yHSm.img?h=75&w=100
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yqHP.img?h=75&w=100
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://www.msn.com
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000003.00000003.270439604.000000000227A000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.270303506.0000000002276000.00000004.00000001.sdmp, bhv4453.tmp.3.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv4453.tmp.3.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 00000003.00000002.273144244.000000000019C000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
Source: vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, bhv4453.tmp.3.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
Source: RegAsm.exe, 00000001.00000002.516249428.00000000031E3000.00000004.00000001.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
Source: vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, bhv4453.tmp.3.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000003.00000003.272251788.00000000028BB000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.medi
Source: vbc.exe, 00000003.00000003.269966059.000000000226E000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.270109165.0000000002276000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 00000003.00000002.273357379.0000000002848000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phpm
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 00000003.00000003.269966059.000000000226E000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.270109165.0000000002276000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/57/35/144/83ebc513-f6d1-4e0e-a39a-bef975147e85.jpg?v=9
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/75/95/36/612b163a-ff7b-498a-bad2-3c52bbd2c504.jpg?v=9
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://cvision.media.net/new/300x194/2/138/47/25/3b2da2d4-7a38-47c3-b162-f33e769f51f5.jpg?v=9
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE6B7572D
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_333%2Cw_311%2Cc_fill%2Cg_faces:aut
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, bhv4453.tmp.3.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: vbc.exe, 00000003.00000003.272251788.00000000028BB000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.273357379.0000000002848000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.269900621.0000000002263000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.269966059.000000000226E000.00000004.00000001.sdmp, bhv4453.tmp.3.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=623d43496a394c99b1336ff5cc139eb9&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=299872286.1601476511
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv4453.tmp.3.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Code function: 0_2_00D8CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00D8CDAC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Code function: 0_2_00D02344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00D02344

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 3_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

3_2_0040F078

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 19.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a9b8f2.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a9b8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.522834a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a435a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a435a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RegAsm.exe.51d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.51d0345.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.522834a.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6d55bd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 19.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 19.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6df1c10.4.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6df1c10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.4a438ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RegAsm.exe.51d0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000013.00000000.401896100.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000013.00000000.402276978.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth

Binary is likely a compiled AutoIt script file

Show sources

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000000.246789907.0000000000DB5000.00000002.00020000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000000.246789907.0000000000DB5000.00000002.00020000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

AutoIt script contains suspicious strings

Show sources

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	AutoIt Script: $PROTECT ) LOCAL $BIN_SHELLCODE = REQ_TCJHAHVFDQURV
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	AutoIt Script: QMFVRQNV () LOCAL $LPSHELLCODE = DLLCALL (PNBIRNHK
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	AutoIt Script: ILE ) LOCAL $RET = DLLCALLADDRESS (MLHTVAHGQBSHGBCHDS

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: 19.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a9b8f2.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a9b8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.522834a.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a435a8.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a435a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RegAsm.exe.51d0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.51d0345.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.522834a.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6d55bd0.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 19.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 19.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6df1c10.4.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6df1c10.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.4a438ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RegAsm.exe.51d0000.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000000.401565016.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000000.401266886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000002.403068621.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000013.00000000.401896100.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000000.252098069.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000013.00000000.402276978.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000002.516270179.00000000031E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000000.251237840.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.514267996.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.518879964.00000000051D0000.00000004.00020000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe PID: 4720, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RegAsm.exe PID: 5908, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D0E060	0_2_00D0E060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D0E800	0_2_00D0E800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D0FE40	0_2_00D0FE40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D16843	0_2_00D16843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D8804A	0_2_00D8804A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D37006	0_2_00D37006
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D1710E	0_2_00D1710E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D36522	0_2_00D36522
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D216C4	0_2_00D216C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D01287	0_2_00D01287
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D18A0E	0_2_00D18A0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D2BFE6	0_2_00D2BFE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Code function: 0_2_00D2DBB5	0_2_00D2DBB5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E634D0	1_2_02E634D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E60801	1_2_02E60801
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E6A1E3	1_2_02E6A1E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E65588	1_2_02E65588
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E68B90	1_2_02E68B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E64998	1_2_02E64998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E6A798	1_2_02E6A798
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E61D2A	1_2_02E61D2A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E67F10	1_2_02E67F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E67518	1_2_02E67518
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E638B7	1_2_02E638B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63AB4	1_2_02E63AB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E608B0	1_2_02E608B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E65880	1_2_02E65880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E6388B	1_2_02E6388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E65890	1_2_02E65890
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E6369C	1_2_02E6369C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63868	1_2_02E63868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63A77	1_2_02E63A77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63671	1_2_02E63671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E66A23	1_2_02E66A23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63A3A	1_2_02E63A3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E68439	1_2_02E68439
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63C00	1_2_02E63C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63E00	1_2_02E63E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E60816	1_2_02E60816
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63217	1_2_02E63217
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E6361B	1_2_02E6361B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63218	1_2_02E63218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E637FA	1_2_02E637FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E645C0	1_2_02E645C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E639DA	1_2_02E639DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E641D8	1_2_02E641D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E64DA1	1_2_02E64DA1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E64DB0	1_2_02E64DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E637B8	1_2_02E637B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63B85	1_2_02E63B85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63580	1_2_02E63580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E68B80	1_2_02E68B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63B62	1_2_02E63B62
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E65768	1_2_02E65768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63777	1_2_02E63777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63744	1_2_02E63744
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E62721	1_2_02E62721
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E62730	1_2_02E62730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E66D30	1_2_02E66D30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E67F00	1_2_02E67F00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63B0F	1_2_02E63B0F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E6390D	1_2_02E6390D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E67508	1_2_02E67508
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E63711	1_2_02E63711
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0044900F	3_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_004042EB	3_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00414281	3_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00410291	3_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_004063BB	3_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00415624	3_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0041668D	3_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0040477F	3_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0040487C	3_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0043589B	3_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0043BA9D	3_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0043FBD3	3_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 19_2_00404DE5	19_2_00404DE5
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 19_2_00404E56	19_2_00404E56
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 19_2_00404EC7	19_2_00404EC7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 19_2_00404F58	19_2_00404F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 19_2_0040BF6B	19_2_0040BF6B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00415F19 appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044468C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004162C2 appears 87 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00412084 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00444B90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0041607A appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004083D6 appears 32 times

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_02E6ACC8 NtUnmapViewOfSection,NtUnmapViewOfSection,		1_2_02E6ACC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,		3_2_0040978A

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.248337037.0000000000FF0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.316.10986.exe
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe, 00000000.00000003.251645855.0000000000FF2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Virustotal: Detection: 69%
Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	ReversingLabs: Detection: 77%

Source: SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBCAF.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBBC1.tmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBCAF.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpBBC1.tmp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\78ede25b-fb90-6791-1ca9-e1fd644b6d85

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@7/3@0/0

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 3_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

3_2_00418073

Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, vbc.exe, 00000003.00000000.261547769.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000000.260466252.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.273168143.0000000000400000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.0.RegAsm.exe.400000.1.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.0.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.SecuriteInfo.com.Trojan.AutoIt.316.10986.exe.ff0000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.AutoIt.316.10986.exe

Code function: 0_2_00D6A2D5 GetLastError,FormatMessageW,

0_2_00D6A2D5

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.AutoIt.316.10986.27538

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary: