Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDER-NEW....pdf.exe

Overview

General Information

Sample Name:ORDER-NEW....pdf.exe
Analysis ID:557358
MD5:1baec657210438b896934a7a793c204c
SHA1:4729717dab3dd01b2ca591c86a02176386e02356
SHA256:b041030454ea89a3ff2326405d3bf230f53daa9ecd50c3e3882a1ad6c0d2427c
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected HawkEye Rat
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected WebBrowserPassView password recovery tool
PE file has nameless sections
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to steal Instant Messenger accounts or passwords
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • ORDER-NEW....pdf.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\ORDER-NEW....pdf.exe" MD5: 1BAEC657210438B896934A7A793C204C)
    • AppLaunch.exe (PID: 7160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 6807F903AC06FF7E1670181378690B22)
      • vbc.exe (PID: 6356 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4296 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • WerFault.exe (PID: 6432 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4100 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
    • 0x8793a:$s1: HawkEye Keylogger
    • 0x879a3:$s1: HawkEye Keylogger
    • 0x80d7d:$s2: _ScreenshotLogger
    • 0x80d4a:$s3: _PasswordStealer
    00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 52 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          18.0.vbc.exe.400000.4.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x147b0:$a1: logins.json
          • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x14f34:$s4: \mozsqlite3.dll
          • 0x137a4:$s5: SMTP Password
          18.0.vbc.exe.400000.4.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x87b3a:$s1: HawkEye Keylogger
            • 0x87ba3:$s1: HawkEye Keylogger
            • 0x11205a:$s1: HawkEye Keylogger
            • 0x1120c3:$s1: HawkEye Keylogger
            • 0x80f7d:$s2: _ScreenshotLogger
            • 0x10b49d:$s2: _ScreenshotLogger
            • 0x80f4a:$s3: _PasswordStealer
            • 0x10b46a:$s3: _PasswordStealer
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackSUSP_NET_NAME_ConfuserExDetects ConfuserEx packed fileArnim Rupp
            • 0x8750d:$name: ConfuserEx
            • 0x111a2d:$name: ConfuserEx
            • 0x8621a:$compile: AssemblyTitle
            • 0x11073a:$compile: AssemblyTitle
            0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              Click to see the 211 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: ORDER-NEW....pdf.exeVirustotal: Detection: 62%Perma Link
              Source: ORDER-NEW....pdf.exeReversingLabs: Detection: 93%
              Antivirus / Scanner detection for submitted sample
              Source: ORDER-NEW....pdf.exeAvira: detected
              Antivirus detection for URL or domain
              Source: https://a.pomf.cat/Avira URL Cloud: Label: phishing
              Machine Learning detection for sample
              Source: ORDER-NEW....pdf.exeJoe Sandbox ML: detected
              Source: 5.0.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.4.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.3.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.2.AppLaunch.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.2.unpackAvira: Label: TR/Dropper.Gen
              Source: 5.0.AppLaunch.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
              Source: ORDER-NEW....pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: ORDER-NEW....pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorlib.pdbD source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdbd source: WER450B.tmp.dmp.9.dr
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: .pdb+ source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb+ source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\ORDER-NEW....pdf.PDBh source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdba source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: (P3o0C:\Windows\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp, WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: ORDER-NEW....pdf.PDB source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\ORDER-NEW....pdf.PDB source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000002.933041044.0000000006FAE000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: System.Core.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Users\user\Desktop\ORDER-NEW....pdf.PDB[ source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
              Source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv|ntpproviders equals www.yahoo.com (Yahoo)
              Source: bhvF129.tmp.8.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com|ntpproviders equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000008.00000003.712462189.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712859827.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712423496.00000000022B7000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: http://172.217.23.78/
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
              Source: bhvF129.tmp.8.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
              Source: bhvF129.tmp.8.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
              Source: bhvF129.tmp.8.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
              Source: bhvF129.tmp.8.drString found in binary or memory: http://google.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
              Source: bhvF129.tmp.8.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0B
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0E
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0F
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0K
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0M
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.digicert.com0R
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/gsr202
              Source: bhvF129.tmp.8.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
              Source: bhvF129.tmp.8.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, AppLaunch.exe, 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
              Source: bhvF129.tmp.8.drString found in binary or memory: http://support.google.com/accounts/answer/151657
              Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.google.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712829130.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712034300.00000000022B6000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712693489.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/?ocid=iehp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
              Source: bhvF129.tmp.8.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
              Source: vbc.exe, 00000008.00000002.715560522.000000000019C000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: vbc.exe, 00000008.00000003.712859827.00000000022AF000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://172.217.23.78/
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
              Source: bhvF129.tmp.8.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.com/adsid/google/ui
              Source: bhvF129.tmp.8.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
              Source: bhvF129.tmp.8.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
              Source: bhvF129.tmp.8.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
              Source: bhvF129.tmp.8.drString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
              Source: bhvF129.tmp.8.drString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
              Source: bhvF129.tmp.8.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: bhvF129.tmp.8.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
              Source: bhvF129.tmp.8.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
              Source: bhvF129.tmp.8.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
              Source: bhvF129.tmp.8.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
              Source: bhvF129.tmp.8.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
              Source: bhvF129.tmp.8.drString found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
              Source: bhvF129.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: bhvF129.tmp.8.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
              Source: bhvF129.tmp.8.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
              Source: bhvF129.tmp.8.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
              Source: bhvF129.tmp.8.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
              Source: bhvF129.tmp.8.drString found in binary or memory: https://pki.goog/repository/0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
              Source: bhvF129.tmp.8.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
              Source: bhvF129.tmp.8.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: bhvF129.tmp.8.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
              Source: bhvF129.tmp.8.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
              Source: bhvF129.tmp.8.drString found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google-analytics.com/analytics.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/?gws_rd=ssl
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/favicon.ico
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/nav_logo299.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/phd/px.gif
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/search
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
              Source: vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
              Source: vbc.exe, 00000008.00000003.712462189.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712423496.00000000022B7000.00000004.00000001.sdmp, bhvF129.tmp.8.drString found in binary or memory: https://www.msn.com/
              Source: bhvF129.tmp.8.drString found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected HawkEye Keylogger
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 18.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 18.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 18.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 18.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 18.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.7f31990.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.9480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.94d834a.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.9480000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.3.AppLaunch.exe.875dbda.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.2.AppLaunch.exe.7f31990.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 18.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.2.AppLaunch.exe.7e95950.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.9480345.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.2.AppLaunch.exe.94d834a.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.3.AppLaunch.exe.8705890.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.3.AppLaunch.exe.875dbda.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 18.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.3.AppLaunch.exe.8705bd5.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 5.3.AppLaunch.exe.8705890.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: ORDER-NEW....pdf.exe
              Source: initial sampleStatic PE information: Filename: ORDER-NEW....pdf.exe
              PE file has nameless sections
              Source: ORDER-NEW....pdf.exeStatic PE information: section name:
              PE file contains section with special chars
              Source: ORDER-NEW....pdf.exeStatic PE information: section name: )xrUhX
              Source: ORDER-NEW....pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 18.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 18.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 18.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 18.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 18.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.7f31990.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.9480000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.94d834a.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.9480000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.3.AppLaunch.exe.875dbda.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.2.AppLaunch.exe.7f31990.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 18.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.2.AppLaunch.exe.7e95950.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.9480345.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.2.AppLaunch.exe.94d834a.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.3.AppLaunch.exe.8705890.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.3.AppLaunch.exe.875dbda.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 18.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.3.AppLaunch.exe.8705bd5.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 5.3.AppLaunch.exe.8705890.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
              Source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_008A4762
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_012104E9
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_01210E70
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_012118A0
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_012173A2
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeCode function: 0_2_012173B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054304D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054354B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05432068
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05430C48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05436C29
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05439F98
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05439938
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054338E6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05438540
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05430562
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433564
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433568
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05434519
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05434528
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05438531
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543053B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054305ED
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054305A6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543E45F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543174D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054317D4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05434168
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05434178
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543E1B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543E30B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433D40
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431D6F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433DDD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433DA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433C73
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433C1D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05430C35
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431C83
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431CBA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433E75
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05436E10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433E1A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431E95
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05439928
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054339D7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054329E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054319F6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054329F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433981
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054348D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054348E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054318FB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543588B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05435890
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433B60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433B1E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433BCE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433BF1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05431BB9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433A77
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433A02
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433ADD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05433AAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C3B990
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C34C00
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C30040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C34310
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C362B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C38B60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C38B70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C33FC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C39080
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C39090
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C3001C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C34304
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C3C2C6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09C3C2C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E315DB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E314DD
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E31415
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E30778
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E30EA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E31295
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E31174
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E31134
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E3170B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E312D5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E31667
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E3125A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0044900F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004042EB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00414281
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00410291
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004063BB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415624
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041668D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040477F
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040487C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043589B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043BA9D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043FBD3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404DE5
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404E56
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404EC7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00404F58
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040BF6B
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 87 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00412084 appears 39 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 32 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_09E31398 NtUnmapViewOfSection,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
              Source: ORDER-NEW....pdf.exeBinary or memory string: OriginalFilename vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFm.dll& vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameFm.dll& vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.709923346.0000000002C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclsRP.dll, vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.709923346.0000000002C71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.709383685.0000000001240000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameclsRP.dll, vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.662259035.00000000008A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameORDER-NEW.exeT vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exeBinary or memory string: OriginalFilenameORDER-NEW.exeT vs ORDER-NEW....pdf.exe
              Source: ORDER-NEW....pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: ORDER-NEW....pdf.exeStatic PE information: Section: )xrUhX ZLIB complexity 1.00031528433
              Source: ORDER-NEW....pdf.exeVirustotal: Detection: 62%
              Source: ORDER-NEW....pdf.exeReversingLabs: Detection: 93%
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeFile read: C:\Users\user\Desktop\ORDER-NEW....pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\ORDER-NEW....pdf.exe "C:\Users\user\Desktop\ORDER-NEW....pdf.exe"
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\7e8a2afc-e75b-3dcf-f7ef-7d8629ca2b45Jump to behavior
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@11/9@0/0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00417BE9 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00413424 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6860
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMutant created: \Sessions\1\BaseNamedObjects\714e5fbb-f83f-4388-95bc-ab8eaa6f89ea
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004141E0 FindResourceW,SizeofResource,LoadResource,LockResource,
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: ORDER-NEW....pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: ORDER-NEW....pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorlib.pdbD source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdbd source: WER450B.tmp.dmp.9.dr
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.Core.ni.pdbRSDSD source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER450B.tmp.dmp.9.dr
              Source: Binary string: .pdb+ source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb+ source: ORDER-NEW....pdf.exe, 00000000.00000000.716135209.00000000082D2000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740801711.00000000082D2000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\ORDER-NEW....pdf.PDBh source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: \??\C:\Windows\mscorlib.pdba source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb* source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: System.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: (P3o0C:\Windows\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp, WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: ORDER-NEW....pdf.exe, 00000000.00000000.716149183.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.706455152.00000000082D5000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.740808600.00000000082D5000.00000004.00000001.sdmp
              Source: Binary string: ORDER-NEW....pdf.PDB source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\user\Desktop\ORDER-NEW....pdf.PDB source: ORDER-NEW....pdf.exe, 00000000.00000000.708210872.0000000000CF4000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000002.730094342.0000000000CF4000.00000004.00000001.sdmp
              Source: Binary string: System.Drawing.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: AppLaunch.exe, 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, AppLaunch.exe, 00000005.00000002.933041044.0000000006FAE000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp
              Source: Binary string: System.Core.pdb source: WER450B.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Users\user\Desktop\ORDER-NEW....pdf.PDB[ source: ORDER-NEW....pdf.exe, 00000000.00000002.730604414.0000000000EC8000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.708566677.0000000000EC7000.00000004.00000020.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.698387590.0000000000EC7000.00000004.00000020.sdmp
              Source: Binary string: System.ni.pdb source: WER450B.tmp.dmp.9.dr
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_05437504 push E801025Eh; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054374FC push E802005Eh; retf
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054360CF push es; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543326C push ss; retf
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_054332F5 push ss; retf
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 5_2_0543F28C push 850FD83Bh; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444975 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444B90 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00444B90 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00448E74 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0042CF44 push ebx; retf 0042h
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412341 push ecx; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412360 push eax; ret
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00412360 push eax; ret
              Source: ORDER-NEW....pdf.exeStatic PE information: section name: )xrUhX
              Source: ORDER-NEW....pdf.exeStatic PE information: section name:
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: initial sampleStatic PE information: section name: )xrUhX entropy: 7.99978046274

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeFile opened: C:\Users\user\Desktop\ORDER-NEW....pdf.exe:Zone.Identifier read attributes | delete
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

              Malware Analysis System Evasion

              barindex
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5892Thread sleep count: 146 > 30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 5892Thread sleep time: -146000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7164Thread sleep count: 134 > 30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7164Thread sleep time: -134000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information queried: ProcessInformation
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0041829C memset,GetSystemInfo,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: virtualMachine
              Source: Amcache.hve.9.drBinary or memory string: VMware
              Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
              Source: Amcache.hve.9.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.9.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
              Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
              Source: bhvF129.tmp.8.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220121T000947Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=222178a1e1114cf5ab744bb5c0e1dbd6&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1351077&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1351077&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: ValueTypeDecryptionFileUnblockerVirtualMachineGetVmSInstallClassKnownFolderFlagsEnumKfKnownFolder<>c__DisplayClass1_0<>cProgramRrRunPersistenceSafeNativeMethodsStartClassStartupShortcutResourcesFm.PropertiesSettingsApplicationSettingsBaseSystem.ConfigurationIWshShellFm.IWshRuntimeLibraryIWshShell2IWshShell3IWshShortcutWshShell__StaticArrayInitTypeSize=16<PrivateImplementationDetails>
              Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.9.drBinary or memory string: VMware7,1
              Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.me
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: .cctorGetFolderPath2installFolderGetInstallFolderGetSpecialFolderfolder.ctorByteArrayToStringdataMd5HashDataSaveDatafileNameAdataAWatpathtxtAzpackageCountdicoptionsCompressNewMethodSomnisormillisecondsWobjectmethodInvokevalueBeginInvokeIAsyncResultAsyncCallbackcallbackEndInvokeresultEFList`1listbinaryReaderDecryptplainBytespassPhraseUnblockPathUnblockFilefileNameDetectVmvirtualMachineSandieget_Hostset_Hostget_MachineNameset_MachineNamehostmachineNameTryInstallexecPathinstallPathstartupFolderkeyNamevalueNameoptionsDelayTimeCmdCopyoriginalPathnewPathGetPathknownFolderdefaultUserGetDefaultPathInitializeflagsSetPathkeyMain<.cctor>b__1rn<.cctor>b__1_0senderbargsImgTDataimagesReadMResNewStringBuilderlongnumberseedSignalnameTryClaimmutexWaittimeoutMonitorSpawnlingstateReclaimMutexBeginMonitorSpawnlingprocessSpawnNewProcessBeginReclaimMutexWaitForCloseSignalBeginWaitForCloseSignalCloseSiblingsDeleteFilekernel32ShGetFhwndOwnernFolderhTokendwFlagspszPathSHGetFolderPathshell32.dllShGetrfidppszPathSHGetKnownFolderPathShell32.dllShSetSHSetKnownFolderPathGetMdlpModuleNameGetModuleHandlekernel32.dllComputeGetTimeStampDicIList`1parametersGetHostPathindexdefaultPathLocalPathStartFilefilemodeYinstalFolderInstallFolderCompareFileSizesf1f2SrkDecompressMphparamMrgRunPe1newpathbytearrayBytesexePathCssget_ResourceManagerget_Cultureset_Cultureget_clsRPget_Default_VtblGap1_4CreateShortcutPathLinkget_FullName_VtblGap1_9get_TargetPathset_TargetPath_VtblGap2_2get_WorkingDirectoryset_WorkingDirectory_VtblGap3_1iCreateMemberRefsDelegatestypeIDCreateGetStringDelegateownerTypeSetProcessWorkingSetSizeEventArgsAttachAppGetstringIDHostMachineNameCultureDefaultFullNameTargetPathWorkingDirectoryAssemblyDescriptionAttributeAssemblyConfigurationAttributeAssemblyCompanyAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyTitleAttributeComVisibleAttributeTargetFrameworkAttributeSystem.Runtime.VersioningGuidAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyTrademarkAttributeAssemblyFileVersionAttributeSuppressIldasmAttributeFlagsAttributeCompilerGeneratedAttributeGeneratedCodeAttributeSystem.CodeDom.CompilerDebuggerNonUserCodeAttributeTypeIdentifierAttributeDefaultMemberAttributeCoClassAttributeAttributeUsageAttributeAttributeTargetsSTAThreadAttributeDispIdAttributeEditorBrowsableAttributeSystem.ComponentModelEditorBrowsableStateFm.Properties.Resources.resourcesFm.Resources.clsRP.xlgCharInt32IntPtrZeroEmptyMD5CryptoServiceProviderExceptionget_ItemReadAllBytesContainsProcessIdStreamReaderBooleanAddByteDoubleInt64SByteInt16SingleUInt32UInt64UInt16ReadBytesRijndaelManagedCryptoStreamModeIEquatable`1RegistryLocalMachineExternalExceptionFunc`2System.CoreEnumerableSystem.LinqFirstOrDefaultIEnumerable`1ArgumentExceptionPointInvalidOperationExceptionLastEventResetModeParameterizedThreadStartThreadStartICollection`1get_CountCurrentUserDeflateStreamSystem.IO.CompressionCompressionModeResolveTypeHandleGetFieldsFieldInfoBindingFlagsget_CharsResolveMethodHandl
              Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733095475.0000000003C71000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.699217663.0000000002C20000.00000004.00020000.sdmpBinary or memory string: VirtualMachine
              Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004443B0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess queried: DebugPort
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Sample uses process hollowing technique
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
              Writes to foreign memory regions
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3AB008
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 291008
              .NET source code references suspicious native API functions
              Source: 5.0.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.0.AppLaunch.exe.400000.4.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.0.AppLaunch.exe.400000.3.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.2.AppLaunch.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.0.AppLaunch.exe.400000.2.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Source: 5.0.AppLaunch.exe.400000.1.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
              Allocates memory in foreign processes
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
              Injects a PE file into a foreign processes
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699115256.0000000001690000.00000002.00020000.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.709749986.0000000001690000.00000002.00020000.sdmp, AppLaunch.exe, 00000005.00000002.932216392.00000000057E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699115256.0000000001690000.00000002.00020000.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.709749986.0000000001690000.00000002.00020000.sdmp, AppLaunch.exe, 00000005.00000002.932216392.00000000057E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699115256.0000000001690000.00000002.00020000.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.709749986.0000000001690000.00000002.00020000.sdmp, AppLaunch.exe, 00000005.00000002.932216392.00000000057E0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.699115256.0000000001690000.00000002.00020000.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.709749986.0000000001690000.00000002.00020000.sdmp, AppLaunch.exe, 00000005.00000002.932216392.00000000057E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeQueries volume information: C:\Users\user\Desktop\ORDER-NEW....pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\ORDER-NEW....pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00418137 GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004083A1 GetVersionExW,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_004073B6 memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
              Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected MailPassView
              Source: Yara matchFile source: 18.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7f31990.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.94d834a.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.875dbda.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7f31990.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7e95950.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480345.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.94d834a.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705890.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.875dbda.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 18.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705bd5.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705890.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.933041044.0000000006FAE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4296, type: MEMORYSTR
              Yara detected HawkEye Keylogger
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480345.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7e95950.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.9480345.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705bd5.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.7e95950.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705890.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705bd5.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.3.AppLaunch.exe.8705890.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.704117458.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.703279347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6356, type: MEMORYSTR
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected HawkEye Keylogger
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.23.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4a73c3c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.24.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.4afe15c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5af10f4.12.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5b7b560.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.21.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.5b7b560.11.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4afe15c.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.5af10f4.10.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.4a73c3c.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.0.AppLaunch.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.ORDER-NEW....pdf.exe.49e970c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.ORDER-NEW....pdf.exe.49e970c.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: ORDER-NEW....pdf.exe PID: 6860, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AppLaunch.exe PID: 7160, type: MEMORYSTR
              Detected HawkEye Rat
              Source: ORDER-NEW....pdf.exe, 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
              Source: ORDER-NEW....pdf.exe, 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
              Source: AppLaunch.exe, 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
              Source: AppLaunch.exe, 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts111
              Windows Management Instrumentation              		Path Interception412
              Process Injection              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts11
              Native API              		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
              Deobfuscate/Decode Files or Information              		2
              Credentials in Registry              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		Exfiltration Over Bluetooth1
              Remote Access Software              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts1
              Shared Modules              		Logon Script (Windows)Logon Script (Windows)3
              Obfuscated Files or Information              		1
              Credentials In Files              		1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)4
              Software Packing              		NTDS19
              System Information Discovery              		Distributed Component Object Model1
              Clipboard Data              		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script13
              Virtualization/Sandbox Evasion              		LSA Secrets241
              Security Software Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common412
              Process Injection              		Cached Domain Credentials13
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Hidden Files and Directories              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
              System Owner/User Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
              Remote System Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ORDER-NEW....pdf.exe63%VirustotalBrowse
              ORDER-NEW....pdf.exe94%ReversingLabsByteCode-MSIL.Trojan.Skeeyah
              ORDER-NEW....pdf.exe100%AviraHEUR/AGEN.1120322
              ORDER-NEW....pdf.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              5.0.AppLaunch.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              5.0.AppLaunch.exe.400000.4.unpack100%AviraTR/Dropper.GenDownload File
              0.0.ORDER-NEW....pdf.exe.7f0000.1.unpack100%AviraHEUR/AGEN.1120322Download File
              5.0.AppLaunch.exe.400000.3.unpack100%AviraTR/Dropper.GenDownload File
              8.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1210557Download File
              0.2.ORDER-NEW....pdf.exe.7f0000.0.unpack100%AviraHEUR/AGEN.1120322Download File
              8.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1210557Download File
              8.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1210557Download File
              5.2.AppLaunch.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
              0.0.ORDER-NEW....pdf.exe.7f0000.13.unpack100%AviraHEUR/AGEN.1120322Download File
              8.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1210557Download File
              8.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1210557Download File
              8.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1210557Download File
              0.0.ORDER-NEW....pdf.exe.7f0000.0.unpack100%AviraHEUR/AGEN.1120322Download File
              5.0.AppLaunch.exe.400000.2.unpack100%AviraTR/Dropper.GenDownload File
              5.0.AppLaunch.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
              8.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1210557Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
              https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
              http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%Avira URL Cloudsafe
              https://a.pomf.cat/4%VirustotalBrowse
              https://a.pomf.cat/100%Avira URL Cloudphishing
              https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js0%VirustotalBrowse
              https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js0%Avira URL Cloudsafe
              http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b5880%Avira URL Cloudsafe
              https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e0%Avira URL Cloudsafe
              http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
              https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css0%Avira URL Cloudsafe
              https://pki.goog/repository/00%URL Reputationsafe
              https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
              https://172.217.23.78/0%Avira URL Cloudsafe
              https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js0%URL Reputationsafe
              http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N0%Avira URL Cloudsafe
              http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z0%Avira URL Cloudsafe
              http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
              http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
              http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
              http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
              http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvF129.tmp.8.drfalse
                		high
                https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.pngbhvF129.tmp.8.drfalse
                  		high
                  https://www.google.com/chrome/static/css/main.v2.min.cssbhvF129.tmp.8.drfalse
                    		high
                    https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQvbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                      		high
                      https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhvF129.tmp.8.drfalse
                        		high
                        https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637bhvF129.tmp.8.drfalse
                          		high
                          http://www.msn.combhvF129.tmp.8.drfalse
                            		high
                            http://www.nirsoft.netvbc.exe, 00000008.00000002.715560522.000000000019C000.00000004.00000001.sdmpfalse
                              		high
                              https://deff.nelreports.net/api/report?cat=msnbhvF129.tmp.8.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://contextual.media.net/__media__/js/util/nrrV9140.jsbhvF129.tmp.8.drfalse
                                		high
                                https://www.google.com/chrome/static/images/chrome-logo.svgbhvF129.tmp.8.drfalse
                                  		high
                                  https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhvF129.tmp.8.drfalse
                                    		high
                                    https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhvF129.tmp.8.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhvF129.tmp.8.drfalse
                                      		high
                                      https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.gobhvF129.tmp.8.drfalse
                                        		high
                                        https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=bhvF129.tmp.8.drfalse
                                          		high
                                          http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2ZbhvF129.tmp.8.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://a.pomf.cat/AppLaunch.exe, 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmptrue
                                          • 4%, Virustotal, Browse
                                          • Avira URL Cloud: phishing
                                          		unknown
                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fbhvF129.tmp.8.drfalse
                                            		high
                                            https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.jsbhvF129.tmp.8.drfalse
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhvF129.tmp.8.drfalse
                                              		high
                                              https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.pngbhvF129.tmp.8.drfalse
                                                		high
                                                https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsbhvF129.tmp.8.drfalse
                                                  		high
                                                  https://maps.windows.com/windows-app-web-linkbhvF129.tmp.8.drfalse
                                                    		high
                                                    http://www.msn.com/?ocid=iehpvbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712829130.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712034300.00000000022B6000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712693489.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                      		high
                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3bhvF129.tmp.8.drfalse
                                                        		high
                                                        http://crl.pki.goog/GTS1O1core.crl0bhvF129.tmp.8.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9bhvF129.tmp.8.drfalse
                                                          		high
                                                          http://www.nirsoft.net/vbc.exe, 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmpfalse
                                                            		high
                                                            https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588bhvF129.tmp.8.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.google.com/chrome/static/images/homepage/hero-anim-middle.pngbhvF129.tmp.8.drfalse
                                                              		high
                                                              https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssbhvF129.tmp.8.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://www.google.com/chrome/static/css/main.v3.min.cssbhvF129.tmp.8.drfalse
                                                                		high
                                                                https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&psbhvF129.tmp.8.drfalse
                                                                  		high
                                                                  https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937bhvF129.tmp.8.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5bhvF129.tmp.8.drfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pqbhvF129.tmp.8.drfalse
                                                                    		high
                                                                    https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kbhvF129.tmp.8.drfalse
                                                                      		high
                                                                      https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhvF129.tmp.8.drfalse
                                                                        		high
                                                                        https://www.google.com/?gws_rd=sslbhvF129.tmp.8.drfalse
                                                                          		high
                                                                          https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266ebhvF129.tmp.8.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_PbhvF129.tmp.8.drfalse
                                                                            		high
                                                                            https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9bhvF129.tmp.8.drfalse
                                                                              		high
                                                                              https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9bhvF129.tmp.8.drfalse
                                                                                		high
                                                                                https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhvF129.tmp.8.drfalse
                                                                                  		high
                                                                                  http://pki.goog/gsr2/GTS1O1.crt0bhvF129.tmp.8.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1bhvF129.tmp.8.drfalse
                                                                                    		high
                                                                                    https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlbhvF129.tmp.8.drfalse
                                                                                      		high
                                                                                      https://www.google.com/chrome/static/images/app-store-download.pngbhvF129.tmp.8.drfalse
                                                                                        		high
                                                                                        https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0bhvF129.tmp.8.drfalse
                                                                                          		high
                                                                                          https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhvF129.tmp.8.drfalse
                                                                                            		high
                                                                                            https://contextual.media.net/bhvF129.tmp.8.drfalse
                                                                                              		high
                                                                                              https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.cssbhvF129.tmp.8.drfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://pki.goog/repository/0bhvF129.tmp.8.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://www.msn.com/vbc.exe, 00000008.00000003.712462189.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712423496.00000000022B7000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                                                                		high
                                                                                                https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?vbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                                                                  		high
                                                                                                  https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhvF129.tmp.8.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUebhvF129.tmp.8.drfalse
                                                                                                    		high
                                                                                                    https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9bhvF129.tmp.8.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/favicon.icobhvF129.tmp.8.drfalse
                                                                                                        		high
                                                                                                        http://www.msn.com/bhvF129.tmp.8.drfalse
                                                                                                          		high
                                                                                                          https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.pngbhvF129.tmp.8.drfalse
                                                                                                            		high
                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734bhvF129.tmp.8.drfalse
                                                                                                              		high
                                                                                                              https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhvF129.tmp.8.drfalse
                                                                                                                		high
                                                                                                                https://www.google.com/chrome/static/images/fallback/icon-twitter.jpgbhvF129.tmp.8.drfalse
                                                                                                                  		high
                                                                                                                  https://172.217.23.78/vbc.exe, 00000008.00000003.712859827.00000000022AF000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9bhvF129.tmp.8.drfalse
                                                                                                                    		high
                                                                                                                    https://www.google.com/images/nav_logo299.pngbhvF129.tmp.8.drfalse
                                                                                                                      		high
                                                                                                                      http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804bhvF129.tmp.8.drfalse
                                                                                                                        		high
                                                                                                                        https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9bhvF129.tmp.8.drfalse
                                                                                                                          		high
                                                                                                                          https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3bhvF129.tmp.8.drfalse
                                                                                                                            		high
                                                                                                                            https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.jsbhvF129.tmp.8.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5NbhvF129.tmp.8.drfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://contextual.media.net/48/nrrV18753.jsbhvF129.tmp.8.drfalse
                                                                                                                              		high
                                                                                                                              https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhvF129.tmp.8.drfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&bhvF129.tmp.8.drfalse
                                                                                                                                  		high
                                                                                                                                  https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                                                                                    		high
                                                                                                                                    https://consent.google.com/set?pc=s&uxe=4421591bhvF129.tmp.8.drfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.com/chrome/static/images/homepage/google-enterprise.pngbhvF129.tmp.8.drfalse
                                                                                                                                        		high
                                                                                                                                        http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3ZbhvF129.tmp.8.drfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://www.google.com/chrome/static/images/homepage/google-dev.pngbhvF129.tmp.8.drfalse
                                                                                                                                          		high
                                                                                                                                          https://www.google.com/chrome/static/images/thank-you/thankyou-animation.jsonbhvF129.tmp.8.drfalse
                                                                                                                                            		high
                                                                                                                                            https://www.google.com/images/hpp/Chrome_Owned_96x96.pngbhvF129.tmp.8.drfalse
                                                                                                                                              		high
                                                                                                                                              http://crl.pki.goog/gsr2/gsr2.crl0?bhvF129.tmp.8.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msnbhvF129.tmp.8.drfalse
                                                                                                                                                		high
                                                                                                                                                http://pki.goog/gsr2/GTSGIAG3.crt0)bhvF129.tmp.8.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrFbhvF129.tmp.8.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2bhvF129.tmp.8.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://policies.yahoo.com/w3c/p3p.xmlbhvF129.tmp.8.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://www.google.com/bhvF129.tmp.8.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhvF129.tmp.8.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.pngbhvF129.tmp.8.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframesbhvF129.tmp.8.drfalse
                                                                                                                                                              		high
                                                                                                                                                              http://google.com/bhvF129.tmp.8.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_bhvF129.tmp.8.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://pki.goog/gsr2/GTS1O1.crt0#bhvF129.tmp.8.drfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://pomf.cat/upload.php&https://a.pomf.cat/ORDER-NEW....pdf.exe, 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, ORDER-NEW....pdf.exe, 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, AppLaunch.exe, 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, AppLaunch.exe, 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmptrue
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=httpsvbc.exe, 00000008.00000003.712390571.00000000022AF000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712341279.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712199419.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712142150.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712293496.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711936953.00000000022B7000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.711967368.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712232690.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000008.00000003.712081309.00000000022A2000.00000004.00000001.sdmp, bhvF129.tmp.8.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2ObhvF129.tmp.8.drfalse
                                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authusbhvF129.tmp.8.drfalse
                                                                                                                                                                      		high

                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                      No contacted IP infos

                                                                                                                                                                      General Information

                                                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                      Analysis ID:557358
                                                                                                                                                                      Start date:21.01.2022
                                                                                                                                                                      Start time:01:09:07
                                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                                      Overall analysis duration:0h 10m 36s
                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                      Report type:light
                                                                                                                                                                      Sample file name:ORDER-NEW....pdf.exe
                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                      Number of analysed new started processes analysed:22
                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                      Technologies:
                                                                                                                                                                      • HCA enabled
                                                                                                                                                                      • EGA enabled
                                                                                                                                                                      • HDC enabled
                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                      Detection:MAL
                                                                                                                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@11/9@0/0
                                                                                                                                                                      EGA Information:
                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                      HDC Information:
                                                                                                                                                                      • Successful, ratio: 97.4% (good quality ratio 94.5%)
                                                                                                                                                                      • Quality average: 85.8%
                                                                                                                                                                      • Quality standard deviation: 23%
                                                                                                                                                                      HCA Information:
                                                                                                                                                                      • Successful, ratio: 99%
                                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                      • Adjust boot time
                                                                                                                                                                      • Enable AMSI
                                                                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                                                                      Warnings

                                                                                                                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                      • Excluded IPs from analysis (whitelisted): 23.211.6.115, 13.89.179.12
                                                                                                                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com
                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                      Simulations

                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                      01:10:17API Interceptor1x Sleep call for process: AppLaunch.exe modified
                                                                                                                                                                      01:10:33API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                      IPs

                                                                                                                                                                      No context

                                                                                                                                                                      Domains

                                                                                                                                                                      No context

                                                                                                                                                                      ASNs

                                                                                                                                                                      No context

                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                      No context

                                                                                                                                                                      Dropped Files

                                                                                                                                                                      No context

                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ORDER-NEW....pdf_70cd51994b2ca6c43fdadda6aa6cd8c7578681_53edd7b4_19425bcf\Report.wer

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):65536
                                                                                                                                                                      Entropy (8bit):1.0293440585745517
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:hIP8dyokHBUZMXCaK2+BKS/u7saS274ItIS:KsXsBUZMXCas//u7saX4ItIS
                                                                                                                                                                      MD5:B7607C5A67D60518DD35306885D2D5F0
                                                                                                                                                                      SHA1:89EB5329FC6F3C7990C4846F82064AE67D6340D9
                                                                                                                                                                      SHA-256:CD4381937B8E65768C8E6B01E37A2B0342A6279D64DC233E172D131FA21D5321
                                                                                                                                                                      SHA-512:6E57D47BD17B5E456F75ECB0C89FC47E78C35E3FDACFEA3959E84511C2CD41EE455EDB463580834E2D4780268668D0EC82B320B58137C2B98C85357980BC7BD1
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.7.1.9.7.4.2.7.6.9.1.3.3.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.7.1.9.7.4.3.2.3.0.0.6.8.1.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.d.4.6.c.f.c.-.4.4.f.f.-.4.6.4.d.-.a.1.b.a.-.5.5.8.3.6.e.d.b.9.3.7.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.4.5.f.9.a.5.-.a.c.f.7.-.4.8.d.9.-.a.4.7.c.-.6.7.f.9.c.0.d.2.7.2.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.R.D.E.R.-.N.E.W.........p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.R.D.E.R.-.N.E.W...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.c.c.-.0.0.0.1.-.0.0.1.b.-.9.1.5.f.-.2.1.3.c.5.b.0.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.b.c.7.2.9.6.f.2.5.3.e.f.4.2.8.2.0.5.6.5.1.e.4.6.3.5.1.d.2.6.9.0.0.0.0.0.0.0.0.!.0.0.0.0.4.7.2.9.7.1.7.d.a.b.3.d.d.0.1.b.2.c.a.5.9.1.c.8.6.a.0.2.1.

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER450B.tmp.dmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:Mini DuMP crash report, 14 streams, Fri Jan 21 00:10:28 2022, 0x1205a4 type
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):226070
                                                                                                                                                                      Entropy (8bit):3.6927076008180193
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3072:oUIB/Wr59gIOgF5P3d0kvS01jd+p7TUCgU5:oUB59RpDfd0J5pvTj
                                                                                                                                                                      MD5:AC7E17B4571E2921F7CEE372AECA7C2E
                                                                                                                                                                      SHA1:FB54FEF3DFA45217D659CAC8A065BAD67CF36A45
                                                                                                                                                                      SHA-256:8579D5A99A271FB4796EA56B2F41DC4196DBAAF7907B31C87AD4F8975FC19900
                                                                                                                                                                      SHA-512:1A3482D03D8B55781B60A334E785744C00F11093E5B7178EAB8DBED063D2D261ADDED3FD44513AA40559AD5609D83EA1D00A3A1D631C9881A2F6D5994245CB21
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:MDMP....... ..........a............$...............,........#...9..........T.......8...........T............-...E...........................................................................................U...........B......8 ......GenuineIntelW...........T..............a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4D78.tmp.WERInternalMetadata.xml

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):8440
                                                                                                                                                                      Entropy (8bit):3.7116856008780728
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:192:Rrl7r3GLNisr6u6YrGSUZwYgmfZ+OYSDz+prRP89bAesfzWAm:RrlsNiI6u6Y6SUZwYgmfcOYSowAdf8
                                                                                                                                                                      MD5:F8D33B020A04B76623B3DF988494C771
                                                                                                                                                                      SHA1:6107B8B4A98C023A040E2D478E91EE386538B1ED
                                                                                                                                                                      SHA-256:E72F166B7499D474C87536715569CAE42A28E0A3ECEC8D50E510652C368CB78F
                                                                                                                                                                      SHA-512:CEFE2816013CC0D050C857853DF0DF4D3D6D845C5DBD5BDDD705753BCA43901537F9F48860FA68228BC8924EB86D4A8EF6806A025D6B94FF5C0F59ADA5D35209
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.6.0.<./.P.i.d.>.......

                                                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F9C.tmp.xml

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):4788
                                                                                                                                                                      Entropy (8bit):4.554814536874402
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:48:cvIwSD8zsFJgtWI9JVWSC8Bt8fm8M4JJ6E8FTp+q8vvEnnsd2OuOsd:uITffakSNUJJ6zKvI42OuOsd
                                                                                                                                                                      MD5:4BB86D387161A85F5B749B606B4D345E
                                                                                                                                                                      SHA1:DF32A0D54392C434920109868AABD723A2083FA1
                                                                                                                                                                      SHA-256:3B698B082DCDCDBA264AE8B0288D006F2E75740EB9B1178262FACDAEB6848370
                                                                                                                                                                      SHA-512:E01B21EE40F054CBDD14053BB79F421D19AB24D8F72BA68605308454DA78F2C7E52838D55BCB6908475EFE2CE23073C9E20A15648F4D292ED18A055108085030
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1351281" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\7e8a2afc-e75b-3dcf-f7ef-7d8629ca2b45

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):88
                                                                                                                                                                      Entropy (8bit):5.498871107126153
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:PFYyImXF9mNwkR/BhgnGgu8oMiOxn:PH1Gl5Qx
                                                                                                                                                                      MD5:537ED8DF56D73F21A755994D1C93FFC2
                                                                                                                                                                      SHA1:28962F1FDAECDA158CDCCBAE4BCCD8B8E3DB3226
                                                                                                                                                                      SHA-256:394D4FC05A58E0679261425BEB08D6D4454CDE7B7F7125BDFF71F2DFC89EC02C
                                                                                                                                                                      SHA-512:5CB00F9B5201141447ED4C7CAB3973A01A429C023CC470851144D035752530CF99B57FA86A0CDE1C97275B35A2DCA6375A489C4D77552FD8B11A789C40E9288A
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Reputation:low
                                                                                                                                                                      Preview:LeNF7Goy7uuKWKsmWAhDmhEi2BbZGy27JQQaO8wc/LiTgVXryptsvCdDD6azBwPsBF7YpxYLPiV+1+f4iDYK9A==

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\bhvF129.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x74a33dcf, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):29884416
                                                                                                                                                                      Entropy (8bit):1.082255052623099
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:24576:GDmPet8HVmy49w781tfXy7R4aUpPX7Cr6f63rsLOZ:Sm4y4JrO
                                                                                                                                                                      MD5:A7B64D8170665009A33F856D18628AEA
                                                                                                                                                                      SHA1:8891BA0D467C97814FCD77D67A78A67E9CD914F6
                                                                                                                                                                      SHA-256:62312B3DE715982ECBBD2BD9741124112E95EB301CF523BF0F55B1565D75B0AA
                                                                                                                                                                      SHA-512:DB716213E115225254F05923C8C5B566CEA41502CAF327DC78A8C6A27B83494DC157DC547E5D280927F9DBB392D0594AD0765244379321C02545C2281A491119
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:t.=.... ........?......_e..*....w......................^.8...../....z../....z..h.:.........................b...*....w..............................................................................................{............B.................................................................................................................. .......9....z......................................................................................................................................................................................................................................[4.......z..................J........z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Users\user\AppData\Local\Temp\tmpB254.tmp

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):2
                                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:3:Qn:Qn
                                                                                                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:..

                                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):1572864
                                                                                                                                                                      Entropy (8bit):4.239826107855132
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:12288:AiwUr9bffhQ4HzTwWt9fw/3Gt+MEPAmSMYm0VAQUVpm++ywV:5wUr9bffhQEzTwyZt
                                                                                                                                                                      MD5:FC0ECF3DFFC95B0D0B66F85A5377B38F
                                                                                                                                                                      SHA1:5E0A6E3E964D4F7366F91C5C3426DE40C2334345
                                                                                                                                                                      SHA-256:E18926AD872FB94F16F2235C5B9FB4446B15148B2104E88457E5DCC86E47EF14
                                                                                                                                                                      SHA-512:E3A3A6136C2FA684B5E3FE5361D997F52B5562201AEE0939BECB8BECC0212C5953954DB8D9CCA0F5D16B989C095DCD9E429B5199CFEA8A8E0087434837C62EB5
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:regfH...H...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...K[...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                                                                                                      Download File
                                                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                      Category:dropped
                                                                                                                                                                      Size (bytes):24576
                                                                                                                                                                      Entropy (8bit):3.5793505518149167
                                                                                                                                                                      Encrypted:false
                                                                                                                                                                      SSDEEP:384:G/EA52JOomTv+Xyb5R5YPv41gnVVeeDzej1NKZtjbT8G/wmAtWA7jm:6f2JONT2Xi5Rtg/eeDze5NYtj0G/wmb2
                                                                                                                                                                      MD5:61F6E0001723DE42C363948B8832922B
                                                                                                                                                                      SHA1:A8AAF1D133EDBD05B3B64F2A487D486E47C92DE5
                                                                                                                                                                      SHA-256:DC60F4D015083ECA2C0C5EA9135C1860B6DC0CD9B59581F8B07DD6B5ED85CCC6
                                                                                                                                                                      SHA-512:389E8A77497189B8AD2DE15DA2B9A4EDB59BBA436154E85936EF50A2E9D0A37C8386ADF773508FB1287DECA3BB55AB977CAE3796470608B2CBDBC68035C001C1
                                                                                                                                                                      Malicious:false
                                                                                                                                                                      Preview:regfG...G...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...K[...................................................................................................................................................................................................................................................................................................................................................HvLE.^......G...........!.\6....v.................................. ..hbin................p.\..,..........nk,..A.K[................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..A.K[....... ........................... .......Z.......................Root........lf......Root....nk ..A.K[................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                                                                                                                                      Static File Info

                                                                                                                                                                      General

                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                      Entropy (8bit):7.984856690873441
                                                                                                                                                                      TrID:
                                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                      File name:ORDER-NEW....pdf.exe
                                                                                                                                                                      File size:782848
                                                                                                                                                                      MD5:1baec657210438b896934a7a793c204c
                                                                                                                                                                      SHA1:4729717dab3dd01b2ca591c86a02176386e02356
                                                                                                                                                                      SHA256:b041030454ea89a3ff2326405d3bf230f53daa9ecd50c3e3882a1ad6c0d2427c
                                                                                                                                                                      SHA512:bdd388f9a1825bb9d21b8871535fc997751255ad2cf00dae12713e2a62aef4471b2d59d35430d45fc606ada32ce89b52f835623194a2d268006af43d093a8b4c
                                                                                                                                                                      SSDEEP:12288:PLpBX5M15aBnwpO06AKyCIy7OX4CzuEXU2x0V9CfArXVUVUU7I5e:DpBpGpOUKPW4CzuEkqw9CfvVUt5
                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-O.....................8.......`...`... ....@.. ....................................@................................

                                                                                                                                                                      File Icon

                                                                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                                                                      Static PE Info

                                                                                                                                                                      General

                                                                                                                                                                      Entrypoint:0x4c600a
                                                                                                                                                                      Entrypoint Section:
                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                                      Time Stamp:0x4F2DFFA8 [Sun Feb 5 04:03:52 2012 UTC]
                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                                                                      OS Version Major:4
                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                      File Version Major:4
                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                      Instruction
                                                                                                                                                                      jmp dword ptr [004C6000h]
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                                      Data Directories

                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb640c0x4f.text
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x668.rsrc
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xc60000x8
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xb60000x48.text
                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                      Sections

                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                      )xrUhX0x20000xb2d4c0xb2e00False1.00031528433data7.99978046274IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .text0xb60000xb2980xb400False0.723328993056data6.66811735085IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .rsrc0xc20000x6680x800False0.35205078125data3.64270697756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                      .reloc0xc40000xc0x200False0.044921875data0.09262353601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                      0xc60000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                                                                                                                                      Resources

                                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                                      RT_VERSION0xc20a00x3d8data
                                                                                                                                                                      RT_MANIFEST0xc24780x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                                      Imports

                                                                                                                                                                      DLLImport
                                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                                      Version Infos

                                                                                                                                                                      DescriptionData
                                                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                                                      LegalCopyrightCopyright 2018 Park Place Entertainment Corp
                                                                                                                                                                      Assembly Version0.0.0.0
                                                                                                                                                                      InternalNameORDER-NEW.exe
                                                                                                                                                                      FileVersion10.7.31.1
                                                                                                                                                                      CompanyNamePark Place Entertainment Corp
                                                                                                                                                                      Commentsutogogesisisakisikucic
                                                                                                                                                                      ProductNameDirectory Listing handler
                                                                                                                                                                      ProductVersion10.7.31.1
                                                                                                                                                                      FileDescriptionDirectory Listing handler
                                                                                                                                                                      OriginalFilenameORDER-NEW.exe

                                                                                                                                                                      Network Behavior

                                                                                                                                                                      No network behavior found

                                                                                                                                                                      Statistics

                                                                                                                                                                      Behavior

                                                                                                                                                                      Click to jump to process

                                                                                                                                                                      System Behavior

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:02
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Users\user\Desktop\ORDER-NEW....pdf.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\ORDER-NEW....pdf.exe"
                                                                                                                                                                      Imagebase:0x7f0000
                                                                                                                                                                      File size:782848 bytes
                                                                                                                                                                      MD5 hash:1BAEC657210438B896934A7A793C204C
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.703620754.0000000005AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.733884470.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.702281950.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.712572110.0000000005AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.738563781.0000000005AF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.711229338.00000000047C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:low

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:14
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                                                                                                                      Imagebase:0xcc0000
                                                                                                                                                                      File size:98912 bytes
                                                                                                                                                                      MD5 hash:6807F903AC06FF7E1670181378690B22
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.689728198.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.933455184.0000000007E95000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.930832405.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.690486770.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.933041044.0000000006FAE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.933674801.0000000009480000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000003.692797770.0000000008705000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.690115034.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.932528508.0000000006EA1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.691070548.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:moderate

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:19
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB254.tmp
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.702441264.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.704117458.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.702788844.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.715632355.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000000.703279347.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:26
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
                                                                                                                                                                      Imagebase:0x160000
                                                                                                                                                                      File size:434592 bytes
                                                                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:10:28
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6860 -s 1156
                                                                                                                                                                      Imagebase:0x160000
                                                                                                                                                                      File size:434592 bytes
                                                                                                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      General

                                                                                                                                                                      Start time:01:11:25
                                                                                                                                                                      Start date:21/01/2022
                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpB202.tmp
                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                      Yara matches:
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.843177172.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.842827239.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.842483097.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000000.843631196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000012.00000002.844335097.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                      Reputation:high

                                                                                                                                                                      Disassembly

                                                                                                                                                                      No disassembly