Windows Analysis Report
TGQfHfehsY

Overview

General Information

Sample Name:	TGQfHfehsY (renamed file extension from none to exe)
Analysis ID:	587288
MD5:	9b8ec9e094676d88b02f038f318afd86
SHA1:	65f99e529982f1c1a5cf9eb59f60edfeecdf2eec
SHA256:	54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8
Tags:	exe
Infos:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected MailPassView

Yara detected HawkEye Keylogger

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected HawkEye Rat

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Changes the view of files in windows explorer (hidden files and folders)

Yara detected WebBrowserPassView password recovery tool

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Contains functionality to read the PEB

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

May infect USB drives

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Uses FTP

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to query network adapater information

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: TGQfHfehsY.exe

Virustotal: Detection: 32%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.pjavpo.exe.20e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.0.pjavpo.exe.415058.10.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.0.pjavpo.exe.400000.0.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.2.pjavpo.exe.4a20000.16.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.pjavpo.exe.4a20000.16.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 5.2.pjavpo.exe.4990000.15.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.2.pjavpo.exe.3803258.6.unpack	Avira: Label: TR/Inject.vcoldi
Source: 12.0.vbc.exe.400000.1.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 5.0.pjavpo.exe.400000.2.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.0.pjavpo.exe.415058.14.unpack	Avira: Label: TR/Inject.vcoldi
Source: 12.0.vbc.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.pjavpo.exe.20f1458.2.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.2.pjavpo.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.pjavpo.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 5.0.pjavpo.exe.400000.3.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.2.pjavpo.exe.415058.3.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.0.pjavpo.exe.400000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 12.0.vbc.exe.400000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 12.0.vbc.exe.400000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 12.0.vbc.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49772 version: TLS 1.0

Uses 32bit PE files

Source: TGQfHfehsY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\gfzfo\jdgvpo\ilxz\eb80024cfd9a4588b9c5c2bbb297cb83\uledka\mpuuwnfg\Release\mpuuwnfg.pdb source: TGQfHfehsY.exe, 00000001.00000002.265684302.000000000040B000.00000004.00000001.01000000.00000003.sdmp, pjavpo.exe, 00000003.00000000.229757777.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000003.00000002.245881929.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000005.00000000.232538937.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp

May infect USB drives

Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe	Binary or memory string: [autorun]
Source: pjavpo.exe	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00405250
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00405C22 FindFirstFileA,FindClose,	1_2_00405C22
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00404A29 FindFirstFileExW,	5_2_00404A29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	12_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	13_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	13_2_00407E0E

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then mov esp, ebp	5_2_02304830
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02306038
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02300728
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02305B71
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then jmp 02301A73h	5_2_023019B0
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then call 02301B20h	5_2_02307DB8
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02307DB8
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then jmp 02301A73h	5_2_023019A0
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_023017F8
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02309AEF
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_023014C0

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49782 -> 66.70.204.222:21

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49772 version: TLS 1.0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.16.154.36 104.16.154.36

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49783 -> 66.70.204.222:59592

Uses FTP

Source: unknown

FTP traffic detected: 66.70.204.222:21 -> 192.168.2.4:49782 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: vbc.exe, 0000000D.00000003.326084792.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326155267.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325833599.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328322633.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327668619.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: http://172.217.23.78/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: vbc.exe, 0000000D.00000003.327330830.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327458849.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327791462.000000000221A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=truef5-b8c0-4
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://google.com/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: TGQfHfehsY.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: TGQfHfehsY.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://support.google.com/accounts/answer/151657
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: pjavpo.exe, 00000005.00000003.267079423.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266811417.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267378958.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266664691.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267513923.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266920825.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267323200.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266505711.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267222556.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: pjavpo.exe, 00000005.00000003.257544389.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.258100800.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: pjavpo.exe, 00000005.00000003.258100800.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.commg
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com91S
Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet21Z
Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: pjavpo.exe, 00000005.00000003.255679895.0000000004F7C000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.254164186.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.254335364.0000000004FA0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: pjavpo.exe, 00000005.00000003.255272980.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.255550167.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/rL
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: pjavpo.exe, 00000005.00000003.277315069.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.google.com/
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 0000000D.00000003.327330830.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323819201.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326555994.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324135944.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323582819.000000000221C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324202827.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323964619.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324363269.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325212298.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326969363.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327458849.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326870543.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324885939.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324652893.0000000002215000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: pjavpo.exe, 00000005.00000003.267079423.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266811417.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266664691.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266920825.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267323200.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267222556.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: pjavpo.exe, 00000005.00000003.266505711.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comuv
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: pjavpo.exe, 00000005.00000003.255550167.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com5
Source: pjavpo.exe, 00000005.00000003.260312379.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comLv
Source: pjavpo.exe, 00000005.00000003.260312379.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comic
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: pjavpo.exe, 00000005.00000003.274619011.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.270053098.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274342061.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274465406.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274755127.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deF$wC
Source: pjavpo.exe, 00000005.00000003.270053098.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.270154747.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deQv
Source: pjavpo.exe, 00000005.00000003.274619011.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274342061.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274465406.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274755127.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.derT
Source: pjavpo.exe, 00000005.00000003.257123163.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000D.00000003.328322633.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327668619.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://172.217.23.78/
Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.com/adsid/google/ui
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000D.00000003.324826424.00000000027E5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324542822.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325057893.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: pjavpo.exe, vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: vbc.exe, 0000000D.00000003.324826424.00000000027E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyipaddress.comx&Qqt
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: pjavpo.exe, vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/nav_logo299.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/phd/px.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/search
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: vbc.exe, 0000000D.00000003.324135944.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324202827.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323964619.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324363269.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325212298.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324885939.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324652893.0000000002215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/searchp/LinkId=255141
Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
Source: vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326155267.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325833599.0000000002215000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://www.msn.com/
Source: vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com//searchp/LinkId=255141
Source: vbc.exe, 0000000D.00000003.328802653.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327613810.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://micros
Source: vbc.exe, 0000000D.00000003.329277879.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328664768.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328857011.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328998402.000000000221A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol

Source: unknown

DNS traffic detected: queries for: 63.155.11.0.in-addr.arpa

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 5_2_00B1B07E recv,

5_2_00B1B07E

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 11 Mar 2022 10:56:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closePermissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=0fu62l9a9_o52ZpSiY3B2Ubbqf8OPYGmRmWYhvH38y0-1646996200-0-AfArknz4ODut5S1R3Wyrv/QQodqXd6I1PPLa+MPUvKGZ6LT0rq7co6gxFQbkOapzHcyoZ6cbSHNSxTJdVa3eLOE=; path=/; expires=Fri, 11-Mar-22 11:26:40 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6ea3c3cbc8a66955-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

Source: vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com\|ntpproviders equals www.yahoo.com (Yahoo)
Source: pjavpo.exe, vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs

.Net Code: HookKeyboard

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404E07

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00406043	1_2_00406043
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00404618	1_2_00404618
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_0040681A	1_2_0040681A
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040E101	3_2_0040E101
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00414C54	3_2_00414C54
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00414C54	3_2_00414C54
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00414170	3_2_00414170
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00416E2D	3_2_00416E2D
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00415EC1	3_2_00415EC1
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_004146E2	3_2_004146E2
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040314F	3_2_0040314F
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00412F84	3_2_00412F84
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0040A2A5	5_2_0040A2A5
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02307A60	5_2_02307A60
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02305758	5_2_02305758
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02306048	5_2_02306048
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02307DB8	5_2_02307DB8
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02307098	5_2_02307098
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02301D98	5_2_02301D98
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0230708A	5_2_0230708A
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02301DA8	5_2_02301DA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404DDB	12_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040BD8A	12_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404E4C	12_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404EBD	12_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404F4E	12_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404419	13_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404516	13_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00413538	13_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004145A1	13_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0040E639	13_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004337AF	13_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004399B1	13_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0043DAE7	13_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00405CF6	13_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00403F85	13_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00411F99	13_2_00411F99

Uses 32bit PE files

Source: TGQfHfehsY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 5.2.pjavpo.exe.7bf0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.7aa0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.284a904.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.500849311.0000000007BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

1_2_004030E3

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0249685A NtWriteVirtualMemory,	5_2_0249685A
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0249670A NtQuerySystemInformation,	5_2_0249670A
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_024967B2 NtResumeThread,	5_2_024967B2
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0249682D NtWriteVirtualMemory,	5_2_0249682D
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_024966C6 NtQuerySystemInformation,	5_2_024966C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,	13_2_00408836

Source: TGQfHfehsY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

File created: C:\Users\user\AppData\Roaming\pid.txt

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@9/7@4/3

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

13_2_00415AFD

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 5_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

5_2_00401489

Source: TGQfHfehsY.exe

Virustotal: Detection: 32%

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

File read: C:\Users\user\Desktop\TGQfHfehsY.exe

Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TGQfHfehsY.exe "C:\Users\user\Desktop\TGQfHfehsY.exe"
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"	Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_024941AE AdjustTokenPrivileges,		5_2_024941AE
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02494177 AdjustTokenPrivileges,		5_2_02494177

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

File created: C:\Users\user\AppData\Local\Temp\nsl8C59.tmp

Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,

1_2_00402012

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_0040411B

Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

13_2_00411196

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs

Base64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', '+NuhvnHL/23apr//8A7D9HKLlcgATfODiXKjHLGsasbFDJBFHqbDrty+sGNtrFgc0eVe1DxY3U1N9v9ixGVjuQ==', 'oS55EiDwvndYEtZ5+lXTfbIb8G1taLPDlWmbhqlMK5CSJNdt9Qbgk/vwkhCaHpDIwtEy26QBS+jq3mOtR2AT75ZDkMahwZY7KngJ5TRfdok=', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\gfzfo\jdgvpo\ilxz\eb80024cfd9a4588b9c5c2bbb297cb83\uledka\mpuuwnfg\Release\mpuuwnfg.pdb source: TGQfHfehsY.exe, 00000001.00000002.265684302.000000000040B000.00000004.00000001.01000000.00000003.sdmp, pjavpo.exe, 00000003.00000000.229757777.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000003.00000002.245881929.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000005.00000000.232538937.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040F655 push ecx; ret	3_2_0040F668
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00401F16 push ecx; ret	5_2_00401F29
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00B27F02 push eax; ret	5_2_00B27F75
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00411879 push ecx; ret	12_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_004118A0 push eax; ret	12_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_004118A0 push eax; ret	12_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442871 push ecx; ret	13_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442A90 push eax; ret	13_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442A90 push eax; ret	13_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00446E54 push eax; ret	13_2_00446E61

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405C49

PE file contains an invalid checksum

Source: TGQfHfehsY.exe	Static PE information: real checksum: 0x0 should be: 0xab3f3
Source: pjavpo.exe.1.dr	Static PE information: real checksum: 0x2c4c6 should be: 0x22f88

Drops PE files

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

File created: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_0040E101 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0040E101

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 2380	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 2560	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 6312	Thread sleep time: -180000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

13_2_00408836

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 180000			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Window / User API: threadDelayed 509

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

API coverage: 6.1 %

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: GetAdaptersInfo,		5_2_02492ED6
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: GetAdaptersInfo,		5_2_02492E98

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	API call chain: ExitProcess graph end node

Source: bhv8D09.tmp.13.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220311T105602Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=9ebbac39d9a3402085c24368353fb3cf&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: bhv8D09.tmp.13.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220308T094317Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=0217a865f8f848fda01c81f53625784e&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 13_2_004161B0 memset,GetSystemInfo,

13_2_004161B0

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00405250
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00405C22 FindFirstFileA,FindClose,	1_2_00405C22
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00404A29 FindFirstFileExW,	5_2_00404A29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	12_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	13_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	13_2_00407E0E

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

13_2_00408836

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405C49

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 5_2_004035F1 mov eax, dword ptr fs:[00000030h]

5_2_004035F1

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_0040F983 _memset,IsDebuggerPresent,

3_2_0040F983

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_00410AFA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_00410AFA

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_0040E588 GetProcessHeap,

3_2_0040E588

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040F55D SetUnhandledExceptionFilter,	3_2_0040F55D
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040F58E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0040F58E
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00401E1D SetUnhandledExceptionFilter,	5_2_00401E1D
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0040446F
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00401C88
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00401F30

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior

.NET source code references suspicious native API functions

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.pjavpo.exe.4a20000.16.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_00412BFC cpuid

3_2_00412BFC

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_0040F05A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_0040F05A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 12_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

12_2_0040724C

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

1_2_0040594D

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected MailPassView

Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.306290437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 580, type: MEMORYSTR

Yara detected HawkEye Keylogger

Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	12_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	12_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	12_2_004033D7

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.307280478.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5484, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Remote Access Functionality

Yara detected HawkEye Keylogger

Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR

Detected HawkEye Rat

Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe	String found in binary or memory: HawkEyeKeylogger
Source: pjavpo.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: pjavpo.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: pjavpo.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qCBHawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qcbftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639%203.11.2022%2012:04:44%20PM.txt
Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qihftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639%203.11.2022%2012:04:44%20PM.txt
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qDC/HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qCBHawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txtd8
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qJISTOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qISTOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02490F6E bind,		5_2_02490F6E
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02490F3B bind,		5_2_02490F3B

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.16.154.36	unknown	United States	13335	CLOUDFLARENETUS	false
104.16.155.36	whatismyipaddress.com	United States	13335	CLOUDFLARENETUS	false
66.70.204.222	ftp.manchutimefashion.com	Canada	16276	OVHFR	true

Contacted Domains

Name	IP	Active
whatismyipaddress.com	104.16.155.36	true
ftp.manchutimefashion.com	66.70.204.222	true
63.155.11.0.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high

AV Detection

Multi AV Scanner detection for submitted file

Source: TGQfHfehsY.exe

Virustotal: Detection: 32%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.pjavpo.exe.20e0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.0.pjavpo.exe.415058.10.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.0.pjavpo.exe.400000.0.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.2.pjavpo.exe.4a20000.16.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.pjavpo.exe.4a20000.16.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 5.2.pjavpo.exe.4990000.15.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.2.pjavpo.exe.3803258.6.unpack	Avira: Label: TR/Inject.vcoldi
Source: 12.0.vbc.exe.400000.1.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 5.0.pjavpo.exe.400000.2.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.0.pjavpo.exe.415058.14.unpack	Avira: Label: TR/Inject.vcoldi
Source: 12.0.vbc.exe.400000.4.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.pjavpo.exe.20f1458.2.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.2.pjavpo.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.pjavpo.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 5.0.pjavpo.exe.400000.3.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.2.pjavpo.exe.415058.3.unpack	Avira: Label: TR/Inject.vcoldi
Source: 5.0.pjavpo.exe.400000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 12.0.vbc.exe.400000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 12.0.vbc.exe.400000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 12.0.vbc.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49772 version: TLS 1.0

Uses 32bit PE files

Source: TGQfHfehsY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\gfzfo\jdgvpo\ilxz\eb80024cfd9a4588b9c5c2bbb297cb83\uledka\mpuuwnfg\Release\mpuuwnfg.pdb source: TGQfHfehsY.exe, 00000001.00000002.265684302.000000000040B000.00000004.00000001.01000000.00000003.sdmp, pjavpo.exe, 00000003.00000000.229757777.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000003.00000002.245881929.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000005.00000000.232538937.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp

May infect USB drives

Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe	Binary or memory string: [autorun]
Source: pjavpo.exe	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: [autorun]
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00405250
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00405C22 FindFirstFileA,FindClose,	1_2_00405C22
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00404A29 FindFirstFileExW,	5_2_00404A29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	12_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	13_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	13_2_00407E0E

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then mov esp, ebp	5_2_02304830
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02306038
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02300728
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02305B71
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then jmp 02301A73h	5_2_023019B0
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then call 02301B20h	5_2_02307DB8
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02307DB8
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then jmp 02301A73h	5_2_023019A0
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_023017F8
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_02309AEF
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	5_2_023014C0

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49782 -> 66.70.204.222:21

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	DNS query: name: whatismyipaddress.com

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49772 version: TLS 1.0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.16.154.36 104.16.154.36

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49783 -> 66.70.204.222:59592

Uses FTP

Source: unknown

Source: vbc.exe, 0000000D.00000003.326084792.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326155267.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325833599.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328322633.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327668619.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: http://172.217.23.78/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: vbc.exe, 0000000D.00000003.327330830.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327458849.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327791462.000000000221A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=truef5-b8c0-4
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://google.com/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: TGQfHfehsY.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: TGQfHfehsY.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://support.google.com/accounts/answer/151657
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: pjavpo.exe, 00000005.00000003.267079423.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266811417.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267378958.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266664691.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267513923.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266920825.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267323200.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266505711.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267222556.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: pjavpo.exe, 00000005.00000003.257544389.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.258100800.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: pjavpo.exe, 00000005.00000003.258100800.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.commg
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com91S
Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comlvfet21Z
Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: pjavpo.exe, 00000005.00000003.255679895.0000000004F7C000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.254164186.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.254335364.0000000004FA0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: pjavpo.exe, 00000005.00000003.255272980.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.255550167.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/rL
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: pjavpo.exe, 00000005.00000003.277315069.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.google.com/
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 0000000D.00000003.327330830.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323819201.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326555994.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324135944.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323582819.000000000221C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324202827.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323964619.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324363269.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325212298.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326969363.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327458849.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326870543.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324885939.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324652893.0000000002215000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv8D09.tmp.13.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: pjavpo.exe, 00000005.00000003.267079423.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266811417.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266664691.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266920825.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267323200.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267222556.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: pjavpo.exe, 00000005.00000003.266505711.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.comuv
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: pjavpo.exe, 00000005.00000003.255550167.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com5
Source: pjavpo.exe, 00000005.00000003.260312379.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comLv
Source: pjavpo.exe, 00000005.00000003.260312379.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comic
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: pjavpo.exe, 00000005.00000003.274619011.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.270053098.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274342061.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274465406.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274755127.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.de
Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deF$wC
Source: pjavpo.exe, 00000005.00000003.270053098.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.270154747.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deQv
Source: pjavpo.exe, 00000005.00000003.274619011.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274342061.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274465406.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274755127.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.derT
Source: pjavpo.exe, 00000005.00000003.257123163.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000000D.00000003.328322633.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327668619.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://172.217.23.78/
Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.com/adsid/google/ui
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000000D.00000003.324826424.00000000027E5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324542822.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325057893.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: pjavpo.exe, vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: vbc.exe, 0000000D.00000003.324826424.00000000027E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyipaddress.comx&Qqt
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: pjavpo.exe, vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/nav_logo299.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/phd/px.gif
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/search
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: vbc.exe, 0000000D.00000003.324135944.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324202827.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323964619.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324363269.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325212298.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324885939.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324652893.0000000002215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/searchp/LinkId=255141
Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
Source: bhv8D09.tmp.13.dr	String found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
Source: vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326155267.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325833599.0000000002215000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://www.msn.com/
Source: vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com//searchp/LinkId=255141
Source: vbc.exe, 0000000D.00000003.328802653.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327613810.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://micros
Source: vbc.exe, 0000000D.00000003.329277879.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328664768.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328857011.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328998402.000000000221A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.dr	String found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol

Source: unknown

DNS traffic detected: queries for: 63.155.11.0.in-addr.arpa

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 5_2_00B1B07E recv,

5_2_00B1B07E

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: global traffic

Source: vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv\|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv8D09.tmp.13.dr	String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com\|ntpproviders equals www.yahoo.com (Yahoo)
Source: pjavpo.exe, vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs

.Net Code: HookKeyboard

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

1_2_00404E07

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00406043	1_2_00406043
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00404618	1_2_00404618
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_0040681A	1_2_0040681A
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040E101	3_2_0040E101
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00414C54	3_2_00414C54
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00414C54	3_2_00414C54
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00414170	3_2_00414170
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00416E2D	3_2_00416E2D
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00415EC1	3_2_00415EC1
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_004146E2	3_2_004146E2
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040314F	3_2_0040314F
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_00412F84	3_2_00412F84
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0040A2A5	5_2_0040A2A5
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02307A60	5_2_02307A60
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02305758	5_2_02305758
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02306048	5_2_02306048
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02307DB8	5_2_02307DB8
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02307098	5_2_02307098
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02301D98	5_2_02301D98
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0230708A	5_2_0230708A
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02301DA8	5_2_02301DA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404DDB	12_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_0040BD8A	12_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404E4C	12_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404EBD	12_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00404F4E	12_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404419	13_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00404516	13_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00413538	13_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004145A1	13_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0040E639	13_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004337AF	13_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_004399B1	13_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_0043DAE7	13_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00405CF6	13_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00403F85	13_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00411F99	13_2_00411F99

Uses 32bit PE files

Source: TGQfHfehsY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 5.2.pjavpo.exe.7bf0000.21.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.7aa0000.20.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.pjavpo.exe.284a904.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.500849311.0000000007BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

1_2_004030E3

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0249685A NtWriteVirtualMemory,	5_2_0249685A
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0249670A NtQuerySystemInformation,	5_2_0249670A
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_024967B2 NtResumeThread,	5_2_024967B2
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0249682D NtWriteVirtualMemory,	5_2_0249682D
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_024966C6 NtQuerySystemInformation,	5_2_024966C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,	13_2_00408836

Source: TGQfHfehsY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

File created: C:\Users\user\AppData\Roaming\pid.txt

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@9/7@4/3

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

13_2_00415AFD

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 5_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

5_2_00401489

Source: TGQfHfehsY.exe

Virustotal: Detection: 32%

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

File read: C:\Users\user\Desktop\TGQfHfehsY.exe

Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TGQfHfehsY.exe "C:\Users\user\Desktop\TGQfHfehsY.exe"
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"	Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_024941AE AdjustTokenPrivileges,		5_2_024941AE
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02494177 AdjustTokenPrivileges,		5_2_02494177

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

File created: C:\Users\user\AppData\Local\Temp\nsl8C59.tmp

Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,

1_2_00402012

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_0040411B

Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

13_2_00411196

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: C:\gfzfo\jdgvpo\ilxz\eb80024cfd9a4588b9c5c2bbb297cb83\uledka\mpuuwnfg\Release\mpuuwnfg.pdb source: TGQfHfehsY.exe, 00000001.00000002.265684302.000000000040B000.00000004.00000001.01000000.00000003.sdmp, pjavpo.exe, 00000003.00000000.229757777.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000003.00000002.245881929.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000005.00000000.232538937.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe.1.dr
Source:	Binary string: wntdll.pdbUGP source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040F655 push ecx; ret	3_2_0040F668
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00401F16 push ecx; ret	5_2_00401F29
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00B27F02 push eax; ret	5_2_00B27F75
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00411879 push ecx; ret	12_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_004118A0 push eax; ret	12_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_004118A0 push eax; ret	12_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442871 push ecx; ret	13_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442A90 push eax; ret	13_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00442A90 push eax; ret	13_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00446E54 push eax; ret	13_2_00446E61

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405C49

PE file contains an invalid checksum

Source: TGQfHfehsY.exe	Static PE information: real checksum: 0x0 should be: 0xab3f3
Source: pjavpo.exe.1.dr	Static PE information: real checksum: 0x2c4c6 should be: 0x22f88

Drops PE files

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

File created: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

3_2_0040E101

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 6820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 2380	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 2560	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 6312	Thread sleep time: -180000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

13_2_00408836

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 180000			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Window / User API: threadDelayed 509

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

API coverage: 6.1 %

Contains functionality to query network adapater information

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: GetAdaptersInfo,		5_2_02492ED6
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: GetAdaptersInfo,		5_2_02492E98

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	API call chain: ExitProcess graph end node

Source: bhv8D09.tmp.13.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220311T105602Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=9ebbac39d9a3402085c24368353fb3cf&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: bhv8D09.tmp.13.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220308T094317Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=0217a865f8f848fda01c81f53625784e&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 13_2_004161B0 memset,GetSystemInfo,

13_2_004161B0

Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_00405250
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00405C22 FindFirstFileA,FindClose,	1_2_00405C22
Source: C:\Users\user\Desktop\TGQfHfehsY.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00404A29 FindFirstFileExW,	5_2_00404A29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	12_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	13_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	13_2_00407E0E

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

13_2_00408836

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405C49

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 5_2_004035F1 mov eax, dword ptr fs:[00000030h]

5_2_004035F1

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_0040F983 _memset,IsDebuggerPresent,

3_2_0040F983

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

3_2_00410AFA

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_0040E588 GetProcessHeap,

3_2_0040E588

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040F55D SetUnhandledExceptionFilter,	3_2_0040F55D
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 3_2_0040F58E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0040F58E
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00401E1D SetUnhandledExceptionFilter,	5_2_00401E1D
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0040446F
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00401C88
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00401F30

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior

.NET source code references suspicious native API functions

Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.pjavpo.exe.4a20000.16.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_00412BFC cpuid

3_2_00412BFC

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe

Code function: 3_2_0040F05A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_0040F05A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 12_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

12_2_0040724C

Source: C:\Users\user\Desktop\TGQfHfehsY.exe

Code function: 1_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

1_2_0040594D

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected MailPassView

Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.306290437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 580, type: MEMORYSTR

Yara detected HawkEye Keylogger

Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	12_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	12_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	12_2_004033D7

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.307280478.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5484, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Remote Access Functionality

Yara detected HawkEye Keylogger

Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR

Detected HawkEye Rat

Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe	String found in binary or memory: HawkEyeKeylogger
Source: pjavpo.exe	String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: pjavpo.exe	String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: pjavpo.exe	String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qCBHawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qcbftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639%203.11.2022%2012:04:44%20PM.txt
Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qihftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639%203.11.2022%2012:04:44%20PM.txt
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qDC/HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qCBHawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txtd8
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qJISTOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qISTOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02490F6E bind,		5_2_02490F6E
Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe	Code function: 5_2_02490F3B bind,		5_2_02490F3B

Windows Analysis Report
TGQfHfehsY

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	587288
Product:	CloudBasic
Start time:	11:55:11
Start date:	11.03.2022
Sample:	TGQfHfehsY
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9b8ec9e094676d88b02f038f318afd86
SHA1:	65f99e529982f1c1a5cf9eb59f60edfeecdf2eec
SHA256:	54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8
Filetype:	Win32 Executable (generic) a (10002005/4) 92.16%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\6kvziwv34i	data	2573C20C1EE479A24A987AF35F211BB2	393BD88475B88060D847ABEFAEBFCCEA79065F09	48BA86A86EC2091F3642FFD0B85850948E9FD9E010F655DB316D910958FA6C10
C:\Users\user\AppData\Local\Temp\bhv8D09.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x08024e91, page size 32768, DirtyShutdown, Windows version 10.0	2E5E8398FB582B15CF9132DD4D6E514C	73A4C046E9F770AA88A9B1E35340A830A49E3372	8A63D15EC2399D9BBECFF27E85D20504492C35937045F8269E88F96AD510F716
C:\Users\user\AppData\Local\Temp\brtwja	data	0E0E6772DEA62ECCFA391D48D9BF6CD4	FF5EA5E7BFF8A12041D42209021B4AB205A22EF7	8FE770D252DB864492B6FCE6ADED5AE8D34DB22413FBCA2E221AB84A60C2DE90
C:\Users\user\AppData\Local\Temp\holderwb.txt	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\pjavpo.exe	PE32 executable (GUI) Intel 80386, for MS Windows	1294A9DDC96CAC3F16FAE32EA9D6670D	CE3E4B59E66E3A4B55BC86D3091BF7DC812FAAFF	D3FE02905ABE00EBB65EEF308C700B923487EE8805EA529A2A4E65A953955E59
C:\Users\user\AppData\Roaming\pid.txt	ASCII text, with no line terminators	41F860E3B7F548ABC1F8B812059137BF	7C7254019CF52A71DF18839B3C433D2DC377F24B	3E8AB67CE1B66389C3AE94F9C8F8AFDEB70B46A33640554F352868F99D2F5616
C:\Users\user\AppData\Roaming\pidloc.txt	ASCII text, with no line terminators	526D4450D1F50E31763D5C10E90212F1	EF6D7779EC7A0A27279D22D59A8D6617C4A76531	88DBE49BC55658678298111BA729F8EEACD11A5DCA55FBD2D4717FAE1C70F2E9

Windows Analysis Report TGQfHfehsY

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
TGQfHfehsY