Windows Analysis Report
Y4lA02GQNd

Overview

General Information

Sample Name: Y4lA02GQNd (renamed file extension from none to exe)
Analysis ID: 594270
MD5: 48d4d71b8425a1b2c6e338581eaa1a57
SHA1: 2eccb47306a0251a8767f80085c132807d24114e
SHA256: 6be42b803f6df9a6520608ac4b4c91437ccf640c42c37650e83f864ceb48950b
Tags: exeHawkEye
Infos:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Installs a global keyboard hook
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: CurrentVersion Autorun Keys Modification
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
IP address seen in connection with other malware
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a window with clipboard capturing capabilities
Sigma detected: Autorun Keys Modification

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Multi AV Scanner detection for submitted file
Source: Y4lA02GQNd.exe Virustotal: Detection: 82% Perma Link
Source: Y4lA02GQNd.exe Metadefender: Detection: 74% Perma Link
Source: Y4lA02GQNd.exe ReversingLabs: Detection: 95%
Antivirus / Scanner detection for submitted sample
Source: Y4lA02GQNd.exe Avira: detected
Source: Y4lA02GQNd.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 74% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 95%
Machine Learning detection for sample
Source: Y4lA02GQNd.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 13.2.WindowsUpdate.exe.840000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.840000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.vbc.exe.400000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.vbc.exe.400000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.0.WindowsUpdate.exe.840000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.0.WindowsUpdate.exe.840000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.vbc.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.vbc.exe.400000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 8.0.vbc.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.6:49775 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.6:49775 version: TLS 1.0
Uses 32bit PE files
Source: Y4lA02GQNd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Y4lA02GQNd.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wwin32u.pdbRSDShQ:#& source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wkernel32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: NapiNSP.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcrt.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cryptbase.pdbRSDS0 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wntdll.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorjit.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winnsi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ntasn1.pdbRSDSQ source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cryptsp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: advapi32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ucrtbase.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wsspicli.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: schannel.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Windows.Forms.pdbRSDSk source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shlwapi.pdbRSDS8 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr
Source: Binary string: 1%oC:\Windows\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: @Cosymbols\dll\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mskeyprotect.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr
Source: Binary string: schannel.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shell32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dwmapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: apphelp.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ws2_32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: bcryptprimitives.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: .pdb94 source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: fastprox.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: nsi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dnsapi.pdbRSDSp source: WER3193.tmp.mdmp.12.dr
Source: Binary string: gpapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: powrprof.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wUxTheme.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wimm32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ole32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Configuration.pdbY` source: WER3193.tmp.mdmp.12.dr
Source: Binary string: version.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dhcpcsvc6.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msasn1.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wgdi32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorlib.pdb source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, WER3193.tmp.mdmp.12.dr
Source: Binary string: cfgmgr32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: Windows.Storage.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: combase.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasman.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: iphlpapi.pdbRSDSU source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cfgmgr32.pdbRSDSu7 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: apphelp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: sechost.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasadhlp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: powrprof.pdbRSDSQ source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorlib.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dhcpcsvc.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcr80.i386.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: combase.pdbRSDSM% source: WER3193.tmp.mdmp.12.dr
Source: Binary string: profapi.pdbRSDS# source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Management.pdbRSDSL source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ntmarta.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: crypt32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fltLib.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: psapi.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: Windows.Storage.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shell32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcr80.i386.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcp_win.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winnsi.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasapi32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\System.pdb\CA' source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wUxTheme.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ntasn1.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wmiutils.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb@ source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wgdi32full.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorjit.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: sechost.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rsaenh.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ncryptsslp.pdbRSDS!V source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msctf.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemcomn.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fastprox.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wsspicli.pdbRSDSv source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemsvc.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winrnr.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msctf.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wrpcrt4.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Xml.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: gdiplus.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemprox.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Xml.pdb# source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rtutils.pdbRSDST source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Windows.Forms.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Configuration.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fwpuclnt.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: bcryptprimitives.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wbemsvc.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wuser32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Management.pdbH source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.pdbRSDS~:] source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rsaenh.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: bcrypt.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: advapi32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemcomn.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: 1%oC:\Windows\mscorlib.pdb source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mskeyprotect.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wrpcrt4.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: edputil.pdbRSDSk source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shcore.pdbRSDSK source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ws2_32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcp_win.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Windows.Forms.pdb, source: WER3193.tmp.mdmp.12.dr
Source: Binary string: Kernel.Appcore.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: CLBCatQ.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ntmarta.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shlwapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasadhlp.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: secur32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscoreei.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscoree.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: symbols\dll\mscorlib.pdb source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Runtime.Remoting.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dhcpcsvc.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: iphlpapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb< source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ole32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: bcrypt.pdbRSDSY! source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winhttp.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Configuration.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wkernelbase.pdbRSDST source: WER3193.tmp.mdmp.12.dr
Source: Binary string: security.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: nsi.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shfolder.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: DWrite.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Drawing.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Management.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: pnrpnsp.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fwpuclnt.pdbRSDSI source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ncrypt.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: secur32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: security.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: nlaapi.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: NapiNSP.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winrnr.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Xml.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\dll\System.pdb/ source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: pnrpnsp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wmswsock.pdbRSDSs: source: WER3193.tmp.mdmp.12.dr
Source: Binary string: DWrite.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: gpapi.pdbRSDS'- source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shcore.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wgdi32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscoree.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: oleaut32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasapi32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wntdll.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dnsapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wimm32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wwin32u.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: nlaapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dwmapi.pdbRSDS%q.I source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cryptsp.pdbRSDSo source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winhttp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: gdiplus.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorlib.pdbH source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, WER3193.tmp.mdmp.12.dr
Source: Binary string: rtutils.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorwks.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: profapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dhcpcsvc6.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: WMINet_Utils.pdbRSDS} source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shfolder.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasman.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wkernel32.pdbRSDS` source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ncryptsslp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr
Source: Binary string: System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp, WER3193.tmp.mdmp.12.dr
Source: Binary string: wmswsock.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: version.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdbRSDS$<y source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fltLib.pdbRSDSw-n source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wgdi32full.pdbRSDS1r5 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Drawing.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ncrypt.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: Kernel.Appcore.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: psapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: WMINet_Utils.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cryptbase.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscoreei.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msasn1.pdbRSDSG0 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorwks.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wmiutils.pdbRSDS@ source: WER3193.tmp.mdmp.12.dr
Source: Binary string: CLBCatQ.pdbRSDSF source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemprox.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: crypt32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: edputil.pdb source: WER3193.tmp.mdmp.12.dr
May infect USB drives
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: autorun.inf
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: [autorun]
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: autorun.inf
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: [autorun]
Source: Y4lA02GQNd.exe Binary or memory string: autorun.inf
Source: Y4lA02GQNd.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe.0.dr Binary or memory string: autorun.inf
Source: WindowsUpdate.exe.0.dr Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 8_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 9_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 9_2_00407E0E
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_05080728

Networking
barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe DNS query: name: whatismyipaddress.com
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.6:49775 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.6:49775 version: TLS 1.0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.154.36 104.16.154.36
Source: bhv748A.tmp.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: bhv748A.tmp.9.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Y4lA02GQNd.exe, 00000000.00000000.476599135.0000000006D50000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp, bhv748A.tmp.9.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv748A.tmp.9.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: Y4lA02GQNd.exe, 00000000.00000003.357824632.000000000575B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000000D.00000002.491218445.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo.com/fooT
Source: bhv748A.tmp.9.dr String found in binary or memory: http://google.com/chrome
Source: bhv748A.tmp.9.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv748A.tmp.9.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjIwZTg0ZTY4NTUwZTU4OGJhMzFmNmI5YjE4N2E4NDAyZWVmO
Source: bhv748A.tmp.9.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJhM2VjZmJmYzJjMzAzZjVjMGM1MjhiNDZjYWEyNDY0MGI2M
Source: bhv748A.tmp.9.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: bhv748A.tmp.9.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImQ1Y2M3ZjUxNTk0ZjI1ZWI5NjQxNjllMjcxMDliYzA5MWY4N
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv9IZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhax?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvqEs?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvuGs?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvzqT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xDME?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yG8H?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1kc8s?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMQmHU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBS0Ogx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuaWG?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv748A.tmp.9.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv748A.tmp.9.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv748A.tmp.9.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv748A.tmp.9.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=333&w=311
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv9IZ.img?h=75&w=100&
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=166&w=310
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=166&w=310
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhax.img?h=166&w=310
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvqEs.img?h=166&w=310
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvuGs.img?h=333&w=311
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvzqT.img?h=166&w=310
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xDME.img?h=75&w=100
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yG8H.img?h=166&w=31
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=75&w=100
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1kc8s.img?m=6&o=true&
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMQmHU.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBS0Ogx.img?h=75&w=100&
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuaWG.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv748A.tmp.9.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe String found in binary or memory: http://whatismyipaddress.com/
Source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr String found in binary or memory: http://whatismyipaddress.com/-
Source: Y4lA02GQNd.exe, 00000000.00000000.473533642.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.412270493.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.413055738.000000000577F000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.413414806.000000000577C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.412847317.000000000577C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.413521909.000000000577C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.412072271.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.412487111.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.491549055.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Y4lA02GQNd.exe, 00000000.00000003.383507536.000000000575B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Y4lA02GQNd.exe, 00000000.00000003.372008612.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373231475.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373084886.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Y4lA02GQNd.exe, 00000000.00000003.375248300.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375385629.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375572049.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375436264.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375495603.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374546800.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375104251.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375034269.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com)
Source: Y4lA02GQNd.exe, 00000000.00000003.373792797.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374030150.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375248300.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372468452.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375385629.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375572049.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375436264.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375495603.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374546800.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375104251.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372315119.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372607090.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375034269.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372008612.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373231475.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373084886.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com.
Source: Y4lA02GQNd.exe, 00000000.00000003.372468452.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372315119.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comAl
Source: Y4lA02GQNd.exe, 00000000.00000003.371928345.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comCH)
Source: Y4lA02GQNd.exe, 00000000.00000003.372468452.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comY
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Y4lA02GQNd.exe, 00000000.00000003.375572049.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375436264.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375495603.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: Y4lA02GQNd.exe, 00000000.00000003.373792797.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374030150.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375248300.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375385629.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375572049.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375436264.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375495603.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374546800.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375104251.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372607090.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375034269.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373231475.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373084886.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.W
Source: Y4lA02GQNd.exe, 00000000.00000003.375248300.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375385629.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375572049.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375436264.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375495603.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375104251.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comue
Source: Y4lA02GQNd.exe, 00000000.00000003.373792797.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374030150.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375248300.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372468452.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375385629.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375572049.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.371928345.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375436264.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375495603.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374546800.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375104251.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372315119.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372607090.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375034269.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372008612.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373231475.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373084886.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comva
Source: Y4lA02GQNd.exe, 00000000.00000003.372468452.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.371928345.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372315119.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372008612.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comx
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.473497287.0000000005750000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Y4lA02GQNd.exe, 00000000.00000003.393112992.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394599690.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.392976997.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Y4lA02GQNd.exe, 00000000.00000003.394090834.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Y4lA02GQNd.exe, 00000000.00000003.392976997.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersTTF
Source: Y4lA02GQNd.exe, 00000000.00000003.393112992.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393442372.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393586315.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.392976997.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393791636.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersz
Source: Y4lA02GQNd.exe, 00000000.00000003.395805295.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394958311.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394599690.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com9
Source: Y4lA02GQNd.exe, 00000000.00000003.392976997.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com=
Source: Y4lA02GQNd.exe, 00000000.00000003.394006220.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393112992.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394958311.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393442372.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394261678.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393586315.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394599690.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393791636.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comB
Source: Y4lA02GQNd.exe, 00000000.00000003.394006220.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393112992.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.395805295.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394958311.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393442372.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394261678.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393586315.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394599690.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.392976997.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393791636.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: Y4lA02GQNd.exe, 00000000.00000003.394958311.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394599690.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comT.TTF
Source: Y4lA02GQNd.exe, 00000000.00000000.491470475.0000000005750000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.473497287.0000000005750000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: Y4lA02GQNd.exe, 00000000.00000003.392976997.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comdK
Source: Y4lA02GQNd.exe, 00000000.00000003.394006220.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393112992.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.395805295.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394958311.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393442372.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394261678.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393586315.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394599690.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.392976997.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393791636.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comessed
Source: Y4lA02GQNd.exe, 00000000.00000000.473497287.0000000005750000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coml1
Source: Y4lA02GQNd.exe, 00000000.00000003.394958311.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394261678.000000000575C000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394599690.000000000575C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comtodK
Source: Y4lA02GQNd.exe, 00000000.00000003.360265172.0000000005785000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.360707434.0000000005785000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.359822110.0000000005785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Y4lA02GQNd.exe, 00000000.00000003.360265172.0000000005785000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.comW
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.369282731.0000000005764000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.369272381.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.369474733.000000000577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Y4lA02GQNd.exe, 00000000.00000003.370081943.000000000577E000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.369819113.000000000577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: Y4lA02GQNd.exe, 00000000.00000003.370496605.000000000577E000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.370081943.000000000577E000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.369819113.000000000577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/SC
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Y4lA02GQNd.exe, 00000000.00000003.369282731.0000000005764000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnv
Source: Y4lA02GQNd.exe, 00000000.00000003.369819113.000000000577F000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.369611485.000000000577F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.cz$i
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Y4lA02GQNd.exe, 00000000.00000003.404217218.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.403078841.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.403572756.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.404451143.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.403339101.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.404057605.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.403188077.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.403830113.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Y4lA02GQNd.exe, 00000000.00000003.384353675.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384884476.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384589677.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385139914.000000000575B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.itcfonts.
Source: Y4lA02GQNd.exe, 00000000.00000003.381141231.0000000005759000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.386187009.000000000575B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Y4lA02GQNd.exe, 00000000.00000003.379733272.000000000575A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: Y4lA02GQNd.exe, 00000000.00000003.381020419.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.382299288.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.382800337.0000000005759000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384353675.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384884476.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383959340.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384589677.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383507536.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384188659.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385404872.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385139914.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384065066.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383815683.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385777869.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385991741.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.381141231.0000000005759000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Y4lA02GQNd.exe, 00000000.00000003.381020419.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.382299288.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.382800337.0000000005759000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383507536.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383815683.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.381141231.0000000005759000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/8
Source: Y4lA02GQNd.exe, 00000000.00000003.381020419.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.382299288.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.382800337.0000000005759000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384353675.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383959340.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383507536.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384188659.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.378091951.0000000005753000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384065066.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383815683.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.379733272.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.381141231.0000000005759000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: Y4lA02GQNd.exe, 00000000.00000003.381020419.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.382299288.000000000575A000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.382800337.0000000005759000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384353675.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384884476.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383959340.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384589677.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383507536.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384188659.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385404872.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385139914.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.384065066.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.386953770.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.386436215.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383815683.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385777869.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.385991741.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.381141231.0000000005759000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.386685465.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.386187009.000000000575B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: Y4lA02GQNd.exe, 00000000.00000003.395419498.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393502462.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394762946.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.392810742.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393281354.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393720087.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.395061465.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393929863.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394090834.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.394499392.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.393038371.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.395227502.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.
Source: bhv748A.tmp.9.dr String found in binary or memory: http://www.msn.com
Source: bhv748A.tmp.9.dr String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000009.00000003.484281610.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.483803035.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485209938.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484810347.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.483086399.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484730959.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482413089.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482567157.0000000002794000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485091197.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485192303.0000000002794000.00000004.00000800.00020000.00000000.sdmp, bhv748A.tmp.9.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 00000009.00000003.482221637.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485209938.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484810347.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.483086399.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.489058002.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482796505.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484730959.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481797364.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482093103.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481965759.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481923551.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481868059.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.487104299.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482891067.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481744646.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.488609265.000000000279D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
Source: bhv748A.tmp.9.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv748A.tmp.9.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv748A.tmp.9.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: WindowsUpdate.exe.0.dr String found in binary or memory: http://www.nirsoft.net/
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Y4lA02GQNd.exe, 00000000.00000003.383815683.000000000575B000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.383711646.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comZ
Source: Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comslnt
Source: Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.comslnt~
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Y4lA02GQNd.exe, 00000000.00000003.398602765.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.398800208.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.390060737.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.390537636.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.399279481.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.399075464.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.390388378.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.de
Source: Y4lA02GQNd.exe, 00000000.00000000.491741294.0000000006962000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Y4lA02GQNd.exe, 00000000.00000003.398602765.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.398800208.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.399279481.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.399075464.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.delar
Source: Y4lA02GQNd.exe, 00000000.00000003.390060737.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deo~
Source: Y4lA02GQNd.exe, 00000000.00000003.398602765.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.dew
Source: Y4lA02GQNd.exe, 00000000.00000003.371804511.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375572049.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.371928345.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375436264.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375495603.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374546800.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375104251.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372315119.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372607090.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375722527.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375034269.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372008612.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373231475.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373084886.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Y4lA02GQNd.exe, 00000000.00000003.371804511.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.371928345.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372315119.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372008612.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnY
Source: Y4lA02GQNd.exe, 00000000.00000003.373792797.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374030150.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372468452.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.371804511.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.371928345.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.374546800.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372315119.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372607090.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.375034269.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372008612.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373231475.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.373084886.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnue
Source: Y4lA02GQNd.exe, 00000000.00000003.371804511.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnva
Source: Y4lA02GQNd.exe, 00000000.00000003.372468452.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.371804511.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.371928345.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372315119.0000000005780000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.372008612.0000000005780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnx
Source: bhv748A.tmp.9.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: vbc.exe, 00000009.00000003.482221637.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485209938.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484810347.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.483086399.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.489058002.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482796505.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484730959.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482093103.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482413089.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482567157.0000000002794000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.487104299.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482891067.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.488609265.000000000279D000.00000004.00000800.00020000.00000000.sdmp, bhv748A.tmp.9.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: bhv748A.tmp.9.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: bhv748A.tmp.9.dr String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: vbc.exe, 00000009.00000003.482413089.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482567157.0000000002794000.00000004.00000800.00020000.00000000.sdmp, bhv748A.tmp.9.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: bhv748A.tmp.9.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv748A.tmp.9.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://contextual.media.net/
Source: bhv748A.tmp.9.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv748A.tmp.9.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: vbc.exe, 00000009.00000003.480261998.00000000027E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/checksync.php
Source: bhv748A.tmp.9.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000009.00000003.482221637.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485209938.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.480420363.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484810347.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.483086399.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.489058002.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482796505.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484730959.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481797364.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482093103.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481965759.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481707426.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481923551.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481868059.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.487104299.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485342623.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482992115.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482891067.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482178944.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481744646.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.488609265.000000000279D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhv748A.tmp.9.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 00000009.00000003.482221637.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485209938.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484810347.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.483086399.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.489058002.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482796505.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484730959.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481797364.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482093103.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481965759.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481923551.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481868059.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.487104299.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482891067.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481744646.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.488609265.000000000279D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhv748A.tmp.9.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv748A.tmp.9.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/189/134/171/257b11a9-f3a3-4bb3-9298-c791f456f3d0.jpg?v=9
Source: bhv748A.tmp.9.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/248/152/169/520bb037-5f8d-42d6-934b-d6ec4a6832e8.jpg?v=9
Source: bhv748A.tmp.9.dr String found in binary or memory: https://cvision.media.net/new/300x300/2/189/9/46/83cfba42-7d45-4670-a4a7-a3211ca07534.jpg?v=9
Source: bhv748A.tmp.9.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv748A.tmp.9.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/237/70/222/47ef75a1-aa03-4dce-a349-91d6a5ed47bb.jpg?v=9
Source: bhv748A.tmp.9.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv748A.tmp.9.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B9B620FEE
Source: bhv748A.tmp.9.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv748A.tmp.9.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv748A.tmp.9.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv748A.tmp.9.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv748A.tmp.9.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv748A.tmp.9.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv748A.tmp.9.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ce_sharpen%2Ch_311%2Cw_207%2Cc_fill%
Source: bhv748A.tmp.9.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv748A.tmp.9.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv748A.tmp.9.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: vbc.exe, 00000009.00000003.482413089.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482567157.0000000002794000.00000004.00000800.00020000.00000000.sdmp, bhv748A.tmp.9.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe, WindowsUpdate.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv748A.tmp.9.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv748A.tmp.9.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv748A.tmp.9.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv748A.tmp.9.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv748A.tmp.9.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhv748A.tmp.9.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv748A.tmp.9.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv748A.tmp.9.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=fa1a6a09db4c4f6fbf480b78c51caf60&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv748A.tmp.9.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.comx&
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=1824632442.1601478955
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/
Source: vbc.exe, WindowsUpdate.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: vbc.exe, 00000009.00000003.480261998.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484281610.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.483803035.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.489675972.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482221637.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.485209938.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.480420363.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484810347.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.483086399.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.489058002.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.479526378.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482796505.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.479634358.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.484730959.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481797364.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482093103.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481965759.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481923551.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481868059.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.480073440.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.487104299.0000000002791000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: vbc.exe, 00000009.00000003.481460118.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.482221637.000000000279D000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.481707426.00000000027E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv748A.tmp.9.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: unknown DNS traffic detected: queries for: 4.179.10.0.in-addr.arpa
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00FAA09A recv, 13_2_00FAA09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 22 Mar 2022 15:44:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Chl-Bypass: 1Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=yAmoydzzZqDO8N9OhKXi.L35L1hYl8h4jR9VW0Rw4Y4-1647963846-0-AepzJ2lz+nqyItG8Hn+3ZlfofKHspz9bsYlU8hzugR86E+vEgjlX89iJQT15CseCtzrzPPi/MGb/0cCyZbllD7Q=; path=/; expires=Tue, 22-Mar-22 16:14:06 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6f000bf8caa49ba1-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, WindowsUpdate.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000009.00000003.489675972.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.489058002.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.487104299.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.488609265.000000000279D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/file://192.168.2.1/all/patchSubSystemMemory.au3https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938
Source: vbc.exe, 00000009.00000003.489675972.00000000027A4000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.489058002.00000000027A3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.487104299.0000000002791000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.488609265.000000000279D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/file://192.168.2.1/all/patchSubSystemMemory.au3https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: Y4lA02GQNd.exe, type: SAMPLE
Source: Yara match File source: 13.0.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Y4lA02GQNd.exe.6de8c32.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.3038f34.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.3038f34.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Y4lA02GQNd.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Y4lA02GQNd.exe Jump to behavior
Contains functionality to log keystrokes (.Net Source)
Source: Y4lA02GQNd.exe, Form1.cs .Net Code: HookKeyboard
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: HookKeyboard
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, Form1.cs .Net Code: HookKeyboard
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 8_2_0040AC8A
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Y4lA02GQNd.exe, type: SAMPLE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Y4lA02GQNd.exe, type: SAMPLE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.9cfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.9cfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.9cfa72.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.9cfa72.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.Y4lA02GQNd.exe.6de8c32.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.Y4lA02GQNd.exe.6de8c32.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.9cfa72.16.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.9cfa72.16.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.3038f34.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.3038f34.19.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Y4lA02GQNd.exe.3038f34.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Y4lA02GQNd.exe.3038f34.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
One or more processes crash
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2836
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00404DDB 8_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040BD8A 8_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00404E4C 8_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00404EBD 8_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00404F4E 8_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00404419 9_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00404516 9_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00413538 9_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_004145A1 9_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0040E639 9_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_004337AF 9_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_004399B1 9_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0043DAE7 9_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00405CF6 9_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00403F85 9_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00411F99 9_2_00411F99
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008703C0 13_2_008703C0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0084D426 13_2_0084D426
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0085D5AE 13_2_0085D5AE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0084D523 13_2_0084D523
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0084D6C4 13_2_0084D6C4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00857646 13_2_00857646
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008829BE 13_2_008829BE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00886AF4 13_2_00886AF4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008AABFC 13_2_008AABFC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008A3CBE 13_2_008A3CBE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008A3C4D 13_2_008A3C4D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008A3DC0 13_2_008A3DC0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0084ED03 13_2_0084ED03
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008A3D2F 13_2_008A3D2F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0084CF92 13_2_0084CF92
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0085AFA6 13_2_0085AFA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0087C7BC 13_2_0087C7BC
PE file contains strange resources
Source: Y4lA02GQNd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Y4lA02GQNd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Y4lA02GQNd.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: security.dll Jump to behavior
Uses 32bit PE files
Source: Y4lA02GQNd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: Y4lA02GQNd.exe, type: SAMPLE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: Y4lA02GQNd.exe, type: SAMPLE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Y4lA02GQNd.exe, type: SAMPLE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.8220000.22.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.8270000.23.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.8220000.12.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.9cfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.9cfa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.9cfa72.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.9cfa72.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.3.Y4lA02GQNd.exe.6de8c32.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.3.Y4lA02GQNd.exe.6de8c32.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.9cfa72.16.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.9cfa72.16.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.8270000.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.305c754.18.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.305c754.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.3038f34.19.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.3038f34.19.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.3038f34.19.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Y4lA02GQNd.exe.3038f34.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Y4lA02GQNd.exe.3038f34.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.Y4lA02GQNd.exe.3038f34.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.480083464.0000000008220000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000000.494055092.0000000008270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000000.493970580.0000000008220000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.480126658.0000000008270000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 0088BA9D appears 36 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 9_2_00408836
Sample file is different than original file name gathered from version info
Source: Y4lA02GQNd.exe, 00000000.00000000.354626587.00000000009F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameassemblychange.exe\ vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.480083464.0000000008220000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameassemblychange.exe\ vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe Binary or memory string: OriginalFilenamemailpv.exe< vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe Binary or memory string: OriginalFilenameassemblychange.exe\ vs Y4lA02GQNd.exe
Source: Y4lA02GQNd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@11/14@3/3
Source: Y4lA02GQNd.exe, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: WindowsUpdate.exe.0.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 9_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource, 8_2_0040ED0B
Source: Y4lA02GQNd.exe Virustotal: Detection: 82%
Source: Y4lA02GQNd.exe Metadefender: Detection: 74%
Source: Y4lA02GQNd.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File read: C:\Users\user\Desktop\Y4lA02GQNd.exe Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Y4lA02GQNd.exe "C:\Users\user\Desktop\Y4lA02GQNd.exe"
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2836
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 2816
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2836 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 2816 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WEREFA8.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 9_2_00415F87
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.490658324.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.445198670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.444887309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.490658324.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.445198670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.444887309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.490658324.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.445198670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.444887309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.490658324.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.445198670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.444887309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.490658324.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.445198670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.444887309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.490658324.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.445198670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.444887309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, Y4lA02GQNd.exe, 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.490658324.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.445198670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.444887309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 9_2_00411196
Source: Y4lA02GQNd.exe, Form1.cs Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi3VIO8BcQAS4jkNDvOz2vFgwjmJQVvfe/QLVzUdNa/DRQRru81bJETGwXezvtdAnzQ==', 'LBR4IFG29JLL/TyKJ9igOb/d8vpwPbBBwT7tuaf90YMuiWhx6YY9pJ9ZS892PPQxzrPRwKh97JS5pShbGc1IkytPBM8OIZdB+WG4XkSsUTTvsV0L8p4s98l4I4XNyClYdUO4Icq/tf0REzPMCkm4VOw0fOoNp43AD24UxG30CkLRsUDfnFGJWG9hgs/FIKpuQJY+s/vViEjrrYTvrpkRJzjC4tPjO154W5uJGrt6Cwg/GlKuVgbWjwdO9mFPpsHva4pN5ekO7g3t9z9ECCpYrEtIaZ5YtDckoKuCC3U5Uja8/8OYFX+ktXkXu0YraLJE', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: WindowsUpdate.exe.0.dr, Form1.cs Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi3VIO8BcQAS4jkNDvOz2vFgwjmJQVvfe/QLVzUdNa/DRQRru81bJETGwXezvtdAnzQ==', 'LBR4IFG29JLL/TyKJ9igOb/d8vpwPbBBwT7tuaf90YMuiWhx6YY9pJ9ZS892PPQxzrPRwKh97JS5pShbGc1IkytPBM8OIZdB+WG4XkSsUTTvsV0L8p4s98l4I4XNyClYdUO4Icq/tf0REzPMCkm4VOw0fOoNp43AD24UxG30CkLRsUDfnFGJWG9hgs/FIKpuQJY+s/vViEjrrYTvrpkRJzjC4tPjO154W5uJGrt6Cwg/GlKuVgbWjwdO9mFPpsHva4pN5ekO7g3t9z9ECCpYrEtIaZ5YtDckoKuCC3U5Uja8/8OYFX+ktXkXu0YraLJE', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, Form1.cs Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi3VIO8BcQAS4jkNDvOz2vFgwjmJQVvfe/QLVzUdNa/DRQRru81bJETGwXezvtdAnzQ==', 'LBR4IFG29JLL/TyKJ9igOb/d8vpwPbBBwT7tuaf90YMuiWhx6YY9pJ9ZS892PPQxzrPRwKh97JS5pShbGc1IkytPBM8OIZdB+WG4XkSsUTTvsV0L8p4s98l4I4XNyClYdUO4Icq/tf0REzPMCkm4VOw0fOoNp43AD24UxG30CkLRsUDfnFGJWG9hgs/FIKpuQJY+s/vViEjrrYTvrpkRJzjC4tPjO154W5uJGrt6Cwg/GlKuVgbWjwdO9mFPpsHva4pN5ekO7g3t9z9ECCpYrEtIaZ5YtDckoKuCC3U5Uja8/8OYFX+ktXkXu0YraLJE', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, Form1.cs Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi3VIO8BcQAS4jkNDvOz2vFgwjmJQVvfe/QLVzUdNa/DRQRru81bJETGwXezvtdAnzQ==', 'LBR4IFG29JLL/TyKJ9igOb/d8vpwPbBBwT7tuaf90YMuiWhx6YY9pJ9ZS892PPQxzrPRwKh97JS5pShbGc1IkytPBM8OIZdB+WG4XkSsUTTvsV0L8p4s98l4I4XNyClYdUO4Icq/tf0REzPMCkm4VOw0fOoNp43AD24UxG30CkLRsUDfnFGJWG9hgs/FIKpuQJY+s/vViEjrrYTvrpkRJzjC4tPjO154W5uJGrt6Cwg/GlKuVgbWjwdO9mFPpsHva4pN5ekO7g3t9z9ECCpYrEtIaZ5YtDckoKuCC3U5Uja8/8OYFX+ktXkXu0YraLJE', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, Form1.cs Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi3VIO8BcQAS4jkNDvOz2vFgwjmJQVvfe/QLVzUdNa/DRQRru81bJETGwXezvtdAnzQ==', 'LBR4IFG29JLL/TyKJ9igOb/d8vpwPbBBwT7tuaf90YMuiWhx6YY9pJ9ZS892PPQxzrPRwKh97JS5pShbGc1IkytPBM8OIZdB+WG4XkSsUTTvsV0L8p4s98l4I4XNyClYdUO4Icq/tf0REzPMCkm4VOw0fOoNp43AD24UxG30CkLRsUDfnFGJWG9hgs/FIKpuQJY+s/vViEjrrYTvrpkRJzjC4tPjO154W5uJGrt6Cwg/GlKuVgbWjwdO9mFPpsHva4pN5ekO7g3t9z9ECCpYrEtIaZ5YtDckoKuCC3U5Uja8/8OYFX+ktXkXu0YraLJE', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, Form1.cs Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi3VIO8BcQAS4jkNDvOz2vFgwjmJQVvfe/QLVzUdNa/DRQRru81bJETGwXezvtdAnzQ==', 'LBR4IFG29JLL/TyKJ9igOb/d8vpwPbBBwT7tuaf90YMuiWhx6YY9pJ9ZS892PPQxzrPRwKh97JS5pShbGc1IkytPBM8OIZdB+WG4XkSsUTTvsV0L8p4s98l4I4XNyClYdUO4Icq/tf0REzPMCkm4VOw0fOoNp43AD24UxG30CkLRsUDfnFGJWG9hgs/FIKpuQJY+s/vViEjrrYTvrpkRJzjC4tPjO154W5uJGrt6Cwg/GlKuVgbWjwdO9mFPpsHva4pN5ekO7g3t9z9ECCpYrEtIaZ5YtDckoKuCC3U5Uja8/8OYFX+ktXkXu0YraLJE', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, Form1.cs Base64 encoded string: 'v7nfuLb0yV+doq0y+Yoxi3VIO8BcQAS4jkNDvOz2vFgwjmJQVvfe/QLVzUdNa/DRQRru81bJETGwXezvtdAnzQ==', 'LBR4IFG29JLL/TyKJ9igOb/d8vpwPbBBwT7tuaf90YMuiWhx6YY9pJ9ZS892PPQxzrPRwKh97JS5pShbGc1IkytPBM8OIZdB+WG4XkSsUTTvsV0L8p4s98l4I4XNyClYdUO4Icq/tf0REzPMCkm4VOw0fOoNp43AD24UxG30CkLRsUDfnFGJWG9hgs/FIKpuQJY+s/vViEjrrYTvrpkRJzjC4tPjO154W5uJGrt6Cwg/GlKuVgbWjwdO9mFPpsHva4pN5ekO7g3t9z9ECCpYrEtIaZ5YtDckoKuCC3U5Uja8/8OYFX+ktXkXu0YraLJE', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6224
Source: Y4lA02GQNd.exe String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: Y4lA02GQNd.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Y4lA02GQNd.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Y4lA02GQNd.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Y4lA02GQNd.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: WindowsUpdate.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Y4lA02GQNd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Y4lA02GQNd.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wwin32u.pdbRSDShQ:#& source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wkernel32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Runtime.Remoting.pdbmoting.pdbpdbing.pdbg\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: ucrtbase.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: NapiNSP.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcrt.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cryptbase.pdbRSDS0 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wntdll.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorjit.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winnsi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ntasn1.pdbRSDSQ source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cryptsp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: advapi32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ucrtbase.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wsspicli.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: schannel.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Windows.Forms.pdbRSDSk source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shlwapi.pdbRSDS8 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr
Source: Binary string: 1%oC:\Windows\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: @Cosymbols\dll\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mskeyprotect.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr
Source: Binary string: schannel.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shell32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dwmapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: apphelp.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ws2_32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: bcryptprimitives.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: .pdb94 source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: fastprox.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: nsi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dnsapi.pdbRSDSp source: WER3193.tmp.mdmp.12.dr
Source: Binary string: gpapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: powrprof.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wUxTheme.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wimm32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ole32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Configuration.pdbY` source: WER3193.tmp.mdmp.12.dr
Source: Binary string: version.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dhcpcsvc6.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msasn1.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wgdi32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorlib.pdb source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, WER3193.tmp.mdmp.12.dr
Source: Binary string: cfgmgr32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: Windows.Storage.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: combase.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasman.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: iphlpapi.pdbRSDSU source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cfgmgr32.pdbRSDSu7 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: apphelp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: sechost.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasadhlp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: powrprof.pdbRSDSQ source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorlib.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dhcpcsvc.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcr80.i386.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: combase.pdbRSDSM% source: WER3193.tmp.mdmp.12.dr
Source: Binary string: profapi.pdbRSDS# source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Management.pdbRSDSL source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ntmarta.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: crypt32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fltLib.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: psapi.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: Windows.Storage.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shell32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcr80.i386.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcp_win.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winnsi.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasapi32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\System.pdb\CA' source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wuser32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wUxTheme.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ntasn1.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wmiutils.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb@ source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wgdi32full.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorjit.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: sechost.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rsaenh.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ncryptsslp.pdbRSDS!V source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msctf.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemcomn.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fastprox.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wsspicli.pdbRSDSv source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemsvc.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winrnr.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msctf.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wrpcrt4.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Xml.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: gdiplus.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemprox.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Xml.pdb# source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rtutils.pdbRSDST source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Windows.Forms.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Configuration.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fwpuclnt.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: bcryptprimitives.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wbemsvc.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wuser32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Management.pdbH source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.pdbRSDS~:] source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rsaenh.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: bcrypt.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: advapi32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemcomn.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: 1%oC:\Windows\mscorlib.pdb source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mskeyprotect.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wrpcrt4.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: edputil.pdbRSDSk source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shcore.pdbRSDSK source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ws2_32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msvcp_win.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Windows.Forms.pdb, source: WER3193.tmp.mdmp.12.dr
Source: Binary string: Kernel.Appcore.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: CLBCatQ.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ntmarta.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shlwapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasadhlp.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: secur32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscoreei.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscoree.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: symbols\dll\mscorlib.pdb source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Runtime.Remoting.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dhcpcsvc.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: iphlpapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb< source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ole32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: bcrypt.pdbRSDSY! source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winhttp.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Configuration.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wkernelbase.pdbRSDST source: WER3193.tmp.mdmp.12.dr
Source: Binary string: security.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: nsi.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shfolder.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: DWrite.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Drawing.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Management.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: pnrpnsp.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fwpuclnt.pdbRSDSI source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ncrypt.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: secur32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: security.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: nlaapi.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: NapiNSP.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winrnr.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Xml.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\dll\System.pdb/ source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: pnrpnsp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wmswsock.pdbRSDSs: source: WER3193.tmp.mdmp.12.dr
Source: Binary string: DWrite.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: gpapi.pdbRSDS'- source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shcore.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wgdi32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscoree.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: oleaut32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasapi32.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wntdll.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dnsapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wimm32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wwin32u.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: nlaapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dwmapi.pdbRSDS%q.I source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cryptsp.pdbRSDSo source: WER3193.tmp.mdmp.12.dr
Source: Binary string: winhttp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: gdiplus.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorlib.pdbH source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, WER3193.tmp.mdmp.12.dr
Source: Binary string: rtutils.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorwks.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: profapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: dhcpcsvc6.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: WMINet_Utils.pdbRSDS} source: WER3193.tmp.mdmp.12.dr
Source: Binary string: shfolder.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: rasman.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wkernel32.pdbRSDS` source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ncryptsslp.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Y4lA02GQNd.exe, WindowsUpdate.exe.0.dr
Source: Binary string: System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.494478632.000000000883B000.00000004.00000010.00020000.00000000.sdmp, WER3193.tmp.mdmp.12.dr
Source: Binary string: wmswsock.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: version.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdbRSDS$<y source: WER3193.tmp.mdmp.12.dr
Source: Binary string: fltLib.pdbRSDSw-n source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wgdi32full.pdbRSDS1r5 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: System.Drawing.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: ncrypt.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: Kernel.Appcore.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: psapi.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: WMINet_Utils.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: cryptbase.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscoreei.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Y4lA02GQNd.exe, 00000000.00000000.493597080.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.479603725.0000000007E6A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: oleaut32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: msasn1.pdbRSDSG0 source: WER3193.tmp.mdmp.12.dr
Source: Binary string: mscorwks.pdbRSDS source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wmiutils.pdbRSDS@ source: WER3193.tmp.mdmp.12.dr
Source: Binary string: CLBCatQ.pdbRSDSF source: WER3193.tmp.mdmp.12.dr
Source: Binary string: wbemprox.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: crypt32.pdb source: WER3193.tmp.mdmp.12.dr
Source: Binary string: edputil.pdb source: WER3193.tmp.mdmp.12.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Y4lA02GQNd.exe, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Y4lA02GQNd.exe, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Y4lA02GQNd.exe, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Y4lA02GQNd.exe, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00411879 push ecx; ret 8_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004118A0 push eax; ret 8_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_004118A0 push eax; ret 8_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00442871 push ecx; ret 9_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00442A90 push eax; ret 9_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00442A90 push eax; ret 9_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00446E54 push eax; ret 9_2_00446E61
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008B0712 push eax; ret 13_2_008B0726
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_008B0712 push eax; ret 13_2_008B074E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0088B87E push ecx; ret 13_2_0088B88E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0088BA9D push eax; ret 13_2_0088BAB1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_0088BA9D push eax; ret 13_2_0088BAD9
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_02A70724 pushfd ; retf 13_2_02A7074B
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 8_2_00403C3D
Drops PE files
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_0040F64B
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe TID: 2096 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe TID: 6664 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe TID: 6668 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe TID: 6648 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe TID: 6900 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 1788 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5752 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 9_2_00408836
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Thread delayed: delay time: 140000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: bhv748A.tmp.9.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20220322T234322Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=d3149e4c24574c13b1dfab6c19d0774d&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1418195&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1418195&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: bhv748A.tmp.9.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:BE8AB8DF-DCD1-3523-4A95-3A04EAFF1CBA&ctry=US&time=20220308T162756Z&lc=en-US&pl=en-US&idtp=mid&uid=b029da70-c67b-4a7e-9bd5-517f7e302ed9&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=40fc91947c2247ddb52fc1e98d62e130&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1418195&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1418195&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_004161B0 memset,GetSystemInfo, 9_2_004161B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 8_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 9_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 9_2_00407E0E
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 9_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 8_2_00403C3D
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process queried: DebugPort Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 2816 Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
.NET source code references suspicious native API functions
Source: Y4lA02GQNd.exe, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Y4lA02GQNd.exe, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: WindowsUpdate.exe.0.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: WindowsUpdate.exe.0.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.2.WindowsUpdate.exe.840000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.0.WindowsUpdate.exe.840000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2836 Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6224 -s 2816 Jump to behavior
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: [Program Manager - 3/22/2022 4:52:57 PM]
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 9_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 9_2_0041604B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 8_2_0040724C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 8_2_00406278 GetVersionExA, 8_2_00406278
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Y4lA02GQNd.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
AV process strings found (often used to terminate AV products)
Source: Y4lA02GQNd.exe, 00000000.00000000.476599135.0000000006D50000.00000004.00000800.00020000.00000000.sdmp, Y4lA02GQNd.exe, 00000000.00000000.492340701.0000000006D50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected MailPassView
Source: Yara match File source: Y4lA02GQNd.exe, type: SAMPLE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4017e00.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.89fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Y4lA02GQNd.exe.6de8c32.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Y4lA02GQNd.exe.6de8c32.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4017e00.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.89fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4017e00.20.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4017e00.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.444557642.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.443960475.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.451606786.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.443355252.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Y4lA02GQNd.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6564, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Yara detected HawkEye Keylogger
Source: Yara match File source: Y4lA02GQNd.exe, type: SAMPLE
Source: Yara match File source: 13.0.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Y4lA02GQNd.exe.6de8c32.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.3038f34.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.3038f34.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Y4lA02GQNd.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 8_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 8_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 8_2_004033D7
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Y4lA02GQNd.exe, type: SAMPLE
Source: Yara match File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4031250.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.849c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.849c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4017e00.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4031250.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4031250.21.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4031250.21.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.4017e00.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.490658324.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.445198670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.444887309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.445569084.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.471508319.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.489759176.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Y4lA02GQNd.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior

Remote Access Functionality
barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: Y4lA02GQNd.exe, type: SAMPLE
Source: Yara match File source: 13.0.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.Y4lA02GQNd.exe.6de8c32.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.9cfa72.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.89fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.848208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.849c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.849c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.970000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.979c0d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.978208.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.848208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.3038f34.19.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Y4lA02GQNd.exe.3038f34.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.354554093.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.489168833.0000000000842000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.480706912.0000000000972000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Y4lA02GQNd.exe PID: 6224, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Detected HawkEye Rat
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Y4lA02GQNd.exe, 00000000.00000000.453280536.0000000000972000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Hq'&HawkEye_Keylogger_Execution_Confirmed_
Source: Y4lA02GQNd.exe, 00000000.00000000.482840431.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Hq#"HawkEye_Keylogger_Stealer_Records_
Source: Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Hq'&HawkEye_Keylogger_Execution_Confirmed_
Source: Y4lA02GQNd.exe, 00000000.00000000.458145021.0000000003011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Hq#"HawkEye_Keylogger_Stealer_Records_
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Y4lA02GQNd.exe, 00000000.00000003.433283661.0000000006DCB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000D.00000000.475455180.0000000000842000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Y4lA02GQNd.exe String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Y4lA02GQNd.exe String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Y4lA02GQNd.exe String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Y4lA02GQNd.exe String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe.0.dr String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe.0.dr String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe.0.dr String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe.0.dr String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_054D0A8E listen, 13_2_054D0A8E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_054D0E9E bind, 13_2_054D0E9E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_054D0A50 listen, 13_2_054D0A50
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_054D0E6B bind, 13_2_054D0E6B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594270 Sample: Y4lA02GQNd Startdate: 22/03/2022 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 8 other signatures 2->45 6 Y4lA02GQNd.exe 16 8 2->6         started        11 WindowsUpdate.exe 5 2->11         started        process3 dnsIp4 31 104.16.154.36, 443, 49775 CLOUDFLARENETUS United States 6->31 33 whatismyipaddress.com 104.16.155.36, 49774, 80 CLOUDFLARENETUS United States 6->33 35 4.179.10.0.in-addr.arpa 6->35 25 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 6->25 dropped 27 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 6->27 dropped 47 May check the online IP address of the machine 6->47 49 Changes the view of files in windows explorer (hidden files and folders) 6->49 51 Writes to foreign memory regions 6->51 59 4 other signatures 6->59 13 vbc.exe 1 6->13         started        16 vbc.exe 2 6->16         started        18 WerFault.exe 3 9 6->18         started        21 dw20.exe 22 6 6->21         started        37 127.0.0.1 unknown unknown 11->37 29 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 11->29 dropped 53 Antivirus detection for dropped file 11->53 55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 file5 signatures6 process7 file8 61 Tries to steal Mail credentials (via file registry) 13->61 63 Tries to steal Instant Messenger accounts or passwords 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal browser information (history, passwords, etc) 16->67 23 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->23 dropped signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.154.36
 unknown United States
13335 CLOUDFLARENETUS false
104.16.155.36
 whatismyipaddress.com United States
13335 CLOUDFLARENETUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
4.179.10.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    		high