Windows Analysis Report
7.exe

Overview

General Information

Sample Name: 7.exe
Analysis ID: 597511
MD5: ed666bf7f4a0766fcec0e9c8074b089b
SHA1: 1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256: d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
Tags: exe
Infos:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Changes the view of files in windows explorer (hidden files and folders)
Yara detected WebBrowserPassView password recovery tool
Machine Learning detection for dropped file
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sigma detected: CurrentVersion Autorun Keys Modification
May infect USB drives
Found potential string decryption / allocating functions
Contains functionality to call native functions
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Uses FTP
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sigma detected: Autorun Keys Modification

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Multi AV Scanner detection for submitted file
Source: 7.exe Virustotal: Detection: 83% Perma Link
Source: 7.exe Metadefender: Detection: 68% Perma Link
Source: 7.exe ReversingLabs: Detection: 95%
Antivirus / Scanner detection for submitted sample
Source: 7.exe Avira: detected
Source: 7.exe Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 68% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 95%
Machine Learning detection for sample
Source: 7.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.0.vbc.exe.400000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.7.exe.140000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.7.exe.140000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.0.7.exe.140000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.0.7.exe.140000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 6.0.vbc.exe.400000.4.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 6.0.vbc.exe.400000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 6.0.vbc.exe.400000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 6.0.vbc.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49778 version: TLS 1.0
Uses 32bit PE files
Source: 7.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\7.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 7.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: indows\System.pdbpdbtem.pdbUs source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Runtime.Remoting.pdbB source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0| source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
Source: Binary string: System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Runtime.Remoting.pdb7 source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbd source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
May infect USB drives
Source: 7.exe Binary or memory string: [autorun]
Source: 7.exe Binary or memory string: autorun.inf
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: autorun.inf
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: [autorun]
Source: 7.exe Binary or memory string: autorun.inf
Source: 7.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe.0.dr Binary or memory string: autorun.inf
Source: WindowsUpdate.exe.0.dr Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 7_2_00407E0E
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 11_2_02990728
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_016F0728

Networking
barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
Source: C:\Users\user\Desktop\7.exe DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.16.154.36:443 -> 192.168.2.4:49778 version: TLS 1.0
Uses FTP
Source: unknown FTP traffic detected: 145.14.144.149:21 -> 192.168.2.4:49792 220 ProFTPD Server (000webhost.com) [::ffff:145.14.144.149]
Source: vbc.exe, 00000007.00000003.327330196.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329240962.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.327136256.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.327359764.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329711659.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326799116.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326997633.0000000002205000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: http://172.217.23.78/
Source: bhv4267.tmp.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2ExtendedValidationServerCA.crt0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=true
Source: vbc.exe, 00000007.00000003.328908883.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329381056.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329120944.000000000220A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/name=euconsent&value=&expire=0&isFirstRequest=truef5-b8c0-4
Source: bhv4267.tmp.7.dr String found in binary or memory: http://cookies.onetrust.mgr.consensu.org/onetrust-logo.svg
Source: 7.exe, WindowsUpdate.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: 7.exe, 00000000.00000002.516042380.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/sha2-ev-server-g2.crl04
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/sha2-ev-server-g2.crl0K
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv4267.tmp.7.dr String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv4267.tmp.7.dr String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000000B.00000002.321167778.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000D.00000002.337092250.00000000033B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foo.com/fooT
Source: WindowsUpdate.exe, 0000000D.00000002.336781223.0000000001531000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.
Source: bhv4267.tmp.7.dr String found in binary or memory: http://google.com/
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IiIsIml1ZSI6Imh0dHA6Ly9pbWFnZXMyLnplbWFudGEuY29tL
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjAxYWZjY2Q0NWJhMmI1MGJkMWJjMzhmMGFlZWM2MDJmMjc2O
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjJkYTFhZDAwNDEyNzQ2M2E3MGUyMWVkZmIxNmUyZjQ2MjBkM
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjU5Zjc4ZGRjN2Y0NThlYzE2YmNhY2E0Y2E2YmFkYzgwNTYyZ
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6IjVhZWEwOTA0MmYxYzJjMDRlMmU1NDg1YzZmNjY2NTU5N2E5N
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijc4NDFiMmZlNWMxZGU2M2JkNDdjMGQzZWI3NjIzYjlkNWU5N
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImRjOWViNGY4OTFjMzQ4NTUyMWQyYWZlZDU1MmZmOWI0NzQyN
Source: bhv4267.tmp.7.dr String found in binary or memory: http://images.outbrainimg.com/transform/v3/eyJpdSI6ImYxODk5OTBhOWZjYjFmZjNjNmMxNDhmYjkzM2M3NzY1Mzk3Z
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA61Ofl?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA7XCQ3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AABzUSt?h=368&w=622&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsAOZ?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADsZuW?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuG4N?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuQtg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTly?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuTp7?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuY5J?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuZko?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADuqZ9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv4Ge?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADv842?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbPR?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvbce?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvhNP?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AADvoN9?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXiwM?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eTok?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18qTPD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xJbM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yKf2?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ylKx?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19ywNG?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB46JmN?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB6Ma4a?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBMVUFn?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBRUB0d?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBWoHwx?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBkwUr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BByBEMv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: 7.exe, WindowsUpdate.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0M
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.digicert.com0R
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv4267.tmp.7.dr String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv4267.tmp.7.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv4267.tmp.7.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0-
Source: bhv4267.tmp.7.dr String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv4267.tmp.7.dr String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/2366737e/webcore/externalscripts/oneTrust/ski
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/5445db85/webcore/externalscripts/oneTrust/de-
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/3bf20fde-50425371/directi
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-2923b6c2/directio
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/3bf20fde-b532f4eb/directio
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/81/58b810.gif
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/86/2042ed.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA61Ofl.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA7XCQ3.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AABzUSt.img?h=368&w=622
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsAOZ.img?h=166&w=310
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADsZuW.img?h=166&w=310
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuG4N.img?h=75&w=100&
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuQtg.img?h=166&w=310
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTly.img?h=166&w=310
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuTp7.img?h=333&w=311
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuY5J.img?h=166&w=310
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuZko.img?h=75&w=100&
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADuqZ9.img?h=75&w=100&
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv4Ge.img?h=75&w=100&
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADv842.img?h=250&w=300
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbPR.img?h=250&w=300
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvbce.img?h=333&w=311
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvhNP.img?h=333&w=311
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AADvoN9.img?h=166&w=310
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXiwM.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eTok.img?h=75&w=100
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=166&w=31
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18qTPD.img?h=16&w=16&
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=333&w=31
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xJbM.img?h=75&w=100
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yKf2.img?h=250&w=30
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ylKx.img?h=75&w=100
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19ywNG.img?h=75&w=100
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB46JmN.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB6Ma4a.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBMVUFn.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBRUB0d.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBWoHwx.img?h=27&w=27&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBkwUr.img?h=16&w=16&m=
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BByBEMv.img?h=16&w=16&m
Source: bhv4267.tmp.7.dr String found in binary or memory: http://support.google.com/accounts/answer/151657
Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: WindowsUpdate.exe String found in binary or memory: http://whatismyipaddress.com/
Source: 7.exe, WindowsUpdate.exe.0.dr String found in binary or memory: http://whatismyipaddress.com/-
Source: 7.exe, 00000000.00000003.262076697.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.agfamonotype.DI
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254843316.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255331043.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: 7.exe, 00000000.00000003.255331043.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com$
Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comT
Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comate
Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comcoc
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comnte
Source: 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comyo
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 7.exe, 00000000.00000003.261536786.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 7.exe, 00000000.00000003.263754771.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 7.exe, 00000000.00000003.262969147.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263452860.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263206127.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263385408.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263278615.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.263076891.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.262837867.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 7.exe, 00000000.00000002.519636455.0000000004E90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comD
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254533517.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254694365.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn.
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 7.exe, 00000000.00000003.253646233.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253468400.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253342487.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnLog0
Source: 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnLogv
Source: 7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253646233.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253468400.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253342487.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cna
Source: 7.exe, 00000000.00000003.253646233.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253468400.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253342487.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254533517.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254694365.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnate
Source: 7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnicr
Source: 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnlYM
Source: 7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnn-u
Source: 7.exe, 00000000.00000003.253912284.0000000004E9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnn-u~
Source: 7.exe, 00000000.00000003.254218270.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.254350013.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnric
Source: 7.exe, 00000000.00000003.253812592.0000000004EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnxYq
Source: 7.exe, 00000000.00000003.267611430.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: bhv4267.tmp.7.dr String found in binary or memory: http://www.google.com/
Source: 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/D
Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256584450.0000000004E92000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/R
Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 7.exe, 00000000.00000003.257894998.0000000004E97000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.256933810.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258148677.0000000004E99000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257240105.0000000004E9A000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.257636111.0000000004E97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
Source: 7.exe, 00000000.00000003.262076697.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.EN~
Source: bhv4267.tmp.7.dr String found in binary or memory: http://www.msn.com
Source: bhv4267.tmp.7.dr String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000007.00000003.328344794.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.328908883.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325731476.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.328003119.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326356510.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325442635.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326584909.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325320855.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325930190.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329120944.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325169593.000000000220C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.328270222.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325629007.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326156239.0000000002205000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhv4267.tmp.7.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhv4267.tmp.7.dr String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: WindowsUpdate.exe.0.dr String found in binary or memory: http://www.nirsoft.net/
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.258440482.0000000004EBE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252539610.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252440722.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 7.exe, 00000000.00000003.252539610.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.252440722.0000000004EBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kru
Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: 7.exe, 00000000.00000003.254843316.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255053933.0000000004E9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.U
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 7.exe, 00000000.00000002.520413464.0000000006122000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255428541.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255600555.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255516238.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255733439.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnnte
Source: 7.exe, 00000000.00000003.255298245.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.255021465.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cnte
Source: vbc.exe, 00000007.00000003.329240962.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.329711659.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: https://172.217.23.78/
Source: vbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: bhv4267.tmp.7.dr String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: bhv4267.tmp.7.dr String found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNRfxSclVePPTskt_ULwutuxovZBENP6CQBK41sqxH
Source: bhv4267.tmp.7.dr String found in binary or memory: https://adservice.google.co.uk/adsid/google/si?gadsid=AORoGNSN_Te_GQT33AAAR6UNrVcn3a-PGny50bSNsHlzoT
Source: bhv4267.tmp.7.dr String found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNQXg7AHkvg6J6S0TqGFa_0HynGV3_XxYfs4fLINJG
Source: bhv4267.tmp.7.dr String found in binary or memory: https://adservice.google.co.uk/adsid/google/ui?gadsid=AORoGNRxRJyZzZp4KXfYTC7Z4q4fsi2jmRa8YGEqdB288n
Source: bhv4267.tmp.7.dr String found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNSvKHbjRugN8Bruw1IrFif72u8bwsJvZ4BRSrMAhil_
Source: bhv4267.tmp.7.dr String found in binary or memory: https://adservice.google.com/adsid/google/si?gadsid=AORoGNTzML9SvDOPLAOFxwn751k-3cAoAULy2FWuSRb89C_P
Source: bhv4267.tmp.7.dr String found in binary or memory: https://adservice.google.com/adsid/google/ui
Source: bhv4267.tmp.7.dr String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: bhv4267.tmp.7.dr String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.9Ky5Gf3gP0o.O/m=gapi_iframes
Source: bhv4267.tmp.7.dr String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv4267.tmp.7.dr String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: vbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: bhv4267.tmp.7.dr String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: bhv4267.tmp.7.dr String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: bhv4267.tmp.7.dr String found in binary or memory: https://contextual.media.net/
Source: bhv4267.tmp.7.dr String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhv4267.tmp.7.dr String found in binary or memory: https://contextual.media.net/__media__/js/util/nrrV9140.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000007.00000003.326235002.0000000002725000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326524685.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326081545.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
Source: bhv4267.tmp.7.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: bhv4267.tmp.7.dr String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv4267.tmp.7.dr String found in binary or memory: https://cvision.media.net/new/100x75/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
Source: bhv4267.tmp.7.dr String found in binary or memory: https://cvision.media.net/new/100x75/2/89/162/29/8ee7a9a3-dec9-4d15-94e1-5c73b17d2de1.jpg?v=9
Source: bhv4267.tmp.7.dr String found in binary or memory: https://cvision.media.net/new/100x75/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
Source: bhv4267.tmp.7.dr String found in binary or memory: https://cvision.media.net/new/286x175/2/249/241/157/ab7b8862-dfb2-4e59-a214-ff623600dbf5.jpg?v=9
Source: bhv4267.tmp.7.dr String found in binary or memory: https://cvision.media.net/new/286x175/3/148/118/158/6d596081-b574-4a8a-9662-8f180c6f659f.jpg?v=9
Source: bhv4267.tmp.7.dr String found in binary or memory: https://cvision.media.net/new/300x300/2/41/100/83/b5cbfa68-1c93-41c9-8797-4f9b532bc0b6.jpg?v=9
Source: bhv4267.tmp.7.dr String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv4267.tmp.7.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv4267.tmp.7.dr String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B83C84637
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQE7dARJDf70CVtvXguPcFi4kAoAFTTEX3FZ_Kd&s=0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQEZeIjizh9n8teY_8BOjsYtpLHwSdIq3PT-WQtot4&s=10
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQFso5PEv3c0kRR2gODJUq62DZF6fnxNsqKUTBX-00QeuCR
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQJBttAzO3yKFNSKzEm8qyQoBw2vbSHn0xMB0yhbgc&s=10
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQSkA3BhTLNTXreS8GxkTmsFGydHUKxWR3gtSn5&s=0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQYaLHOGeTAvxcl2Kvu_RGdrblf1tOpndi7m5_OMgFvfzlI
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQc9-XcC69nXJpriIbLos4bSDdjrz_nByi2zL9xxJ4&s=10
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQcijPNIB_ZGSU0DrjPI_tJ1YOI-6PHUbyHUjTLi3M5nnkK
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQehqYcvOrRcw1YORGnrCzHbNyjMegefhpqYrPQO8G2_KPc
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcQyeaAiOCtrhzoyiUuHOZcp67UWv4aYiYIKZ629tWqIyQ_l
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcR6qDJUCBqqO8k81oIRUuLKwKNP-ux5oIGn1btf&s=0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRXMqY1lU5NXqI7H2QRWgHFAYTsfVdew3_6QMhtv0g&s=10
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRZaO1x4iyU-YgxgvuerXdFmXdj8Ce3rNy8Mqw2SlqePXDg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcRlHYHZu1FxxbUNbpii9NbSF3wy4srqmfLAOC-QBxw&s
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS2yfg_cFEuqKFbNZCaFykqy-jW3vHyGM224t0Sov33iXvh
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS7Tsy61sPGCiV6yILYtCYyP2q9i9bHmXBPqktk0xQvTH0l
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS9bnSRFZj9kLnT0CeZ7r27C9IrO3sFLnQL62gz&s=0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSHEjIxVJou5NRecC2n_FnHaUJDfppR3IDOglu2Ry9INoxt
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSKx7_Dt9K5OFgp-raiLw2XdVNOTbR27N_DCL6T8VDVN_16
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSTkM_f5rN2hSSg3E_UshkUpgZ0a66Lz0rF6gF6&s=0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcScI5035wSfgyvpN8fX27BnFHfF4a7I8z7Xlm7v&s=0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSpNsTsg--kCoAxXjTvRrABIfJjd5ITzVx14ODQUC4wDGzB
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSrCEL2r-B2oHHnS0EeiVjQLJYayeF4GHjCZod9vr4&s
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSvX77JsybkskW6WoLj5kY6exJKuOkXoRWSsNgJbFY&s
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT9-gm37CbSVQ1QMRdyqOvdY12lHBO7fXpaqZZqKP2Wbjr2
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTKoe8A2_V1bWtOlP5fx10ZdjsJZv6l2_sKjTp6jVAPnp0g
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcThUknsbAksExwESRgK7TW5ujPLzgeGDT0-A3f5a1XrdyR-
Source: bhv4267.tmp.7.dr String found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTo0t2j428kWHZlc2etqXbsI-zLrpgSp87E2H24&s=0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v14/4UabrENHsxJlGDuGo1OIlLU94YtzCwA.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmEU9fBBc-.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmSU5fBBc-.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOlCnqEu92Fr1MmWUlfBBc-.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu4mxM.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv4267.tmp.7.dr String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNQXwBwQrE_SUsnWzwpadcOOdc8yOg6JxthQN
Source: bhv4267.tmp.7.dr String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/si?gadsid=AORoGNTXuGHPo1zFjYPXt7mTG-4GALGGk8bjqjvBm
Source: bhv4267.tmp.7.dr String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNQP1yCl9r5iywZTFTjpazv-DURVxDidzMfrF
Source: bhv4267.tmp.7.dr String found in binary or memory: https://googleads.g.doubleclick.net/adsid/google/ui?gadsid=AORoGNSrZsXAj6n_sYvivJecwrpYgMhb9ihVGAlz2
Source: bhv4267.tmp.7.dr String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWeTGO?ver=8c74&q=90&m=
Source: bhv4267.tmp.7.dr String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: bhv4267.tmp.7.dr String found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOcdIDtTfqJElTfRhjdFP9dPcYlW61iEhrydiuX=w92-h92-n-k-no
Source: bhv4267.tmp.7.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv4267.tmp.7.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: WindowsUpdate.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLoginPaginatedStrings.en.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/ConvergedLogin_PCore.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/Converged_v21033.css
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/MeControl.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/ellipsis_white.svg?x=5ac590ee72bfe06a7cecfd75b588
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28230.00/images/microsoft_logo.svg?x=ee5c8d9fb6248c938fd0dc19370e
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_grey_2b5d393db04a5e6e1f739cb266e
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhv4267.tmp.7.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv4267.tmp.7.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meBoot.min.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=RetailStore2&market=en-us&uhf=1
Source: bhv4267.tmp.7.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv4267.tmp.7.dr String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: vbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: vbc.exe, 00000007.00000003.326235002.0000000002725000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ogs.google.com/widget/callouthttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&
Source: bhv4267.tmp.7.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json
Source: bhv4267.tmp.7.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2019-06-26-21-10-17/PreSignInSettingsConfig.json?One
Source: bhv4267.tmp.7.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json?One
Source: bhv4267.tmp.7.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.086.0502.0006/OneDriveSetup.exe
Source: bhv4267.tmp.7.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/19.103.0527.0003/update1.xml?OneDriveUpdate=d580ab8fe35aabd7f368aa
Source: bhv4267.tmp.7.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=285df6c9c501a160c7a24c
Source: bhv4267.tmp.7.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update1.xml?OneDriveUpdate=4a941ab240f8b2c5ca3ca1
Source: bhv4267.tmp.7.dr String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: bhv4267.tmp.7.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/css/optanon.c
Source: bhv4267.tmp.7.dr String found in binary or memory: https://optanon.blob.core.windows.net/skins/4.1.0/default_flat_top_two_button_black/v2/images/cookie
Source: bhv4267.tmp.7.dr String found in binary or memory: https://pki.goog/repository/0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhv4267.tmp.7.dr String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv4267.tmp.7.dr String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv4267.tmp.7.dr String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/BXjlWewXmZ47HeV5NPvUYA--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: bhv4267.tmp.7.dr String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=28e3747a031f4b2a8498142b7c961529&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv4267.tmp.7.dr String found in binary or memory: https://ssl.gstatic.com/gb/images/i1_1967ca6a.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whatismyipaddress.comx&Qq
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=993498051.1601450642
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: WindowsUpdate.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/async/bgasy?ei=gTJ0X7zPLY2f1fAPlo2xoAI&yv=3&async=_fmt:jspb
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&pq
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/complete/search?q&cp=0&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&ps
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/complete/search?q=c&cp=1&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0&
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/complete/search?q=ch&cp=2&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=0
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/complete/search?q=chr&cp=3&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser=
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/complete/search?q=chro&cp=4&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuser
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/complete/search?q=chrom&cp=5&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authuse
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/complete/search?q=chrome&cp=6&client=psy-ab&xssi=t&gs_ri=gws-wiz&hl=en&authus
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/favicon.ico
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_272x92dp.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/images/branding/googlelogo/2x/googlelogo_color_92x30dp.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/images/hpp/Chrome_Owned_96x96.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/images/icons/material/system/1x/email_grey600_24dp.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/images/nav_logo299.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/images/phd/px.gif
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/images/searchbox/desktop_searchbox_sprites302_hr.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/application/x-msdownloadC:
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/js/bg/4sIGg4Q0MrxdMwjTwsyJBGUAZbljSmH8-8Fa9_hVOC0.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/search
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: vbc.exe, 00000007.00000003.325731476.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326356510.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325442635.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326584909.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326799116.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325930190.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.325629007.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326156239.0000000002205000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/searchp/LinkId=255141
Source: vbc.exe, 00000007.00000003.324973841.000000000221A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326556191.00000000021FD000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/am=AAAAAABA
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.google.com/xjs/_/js/k=xjs.s.en_GB.u8fwEfmm86E.O/ck=xjs.s.hyRG9kR79v8.L.I11.O/m=IvlUe
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.ConsentUi.en_GB.wmTUy5P6FUM.es5.O/ck=
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.bMYZ6MazNlM.
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/ac/cb/cb_cbu_kickin.svg
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_92x36dp.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/check_black_24dp.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/keyboard_arrow_down_grey600_24dp.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/kpui/social/fb_32x32.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/kpui/social/twitter_32x32.png
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.og2.en_US.vA2d_upwXfg.O/rt=j/m=def
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.LGkrjG2a9yI.O/rt=j/m=qabr
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.CniBF78B8Ew.L.X.O/m=qcwid/excm=qaaw
Source: bhv4267.tmp.7.dr String found in binary or memory: https://www.gstatic.com/ui/v1/activityindicator/loading_24.gif
Source: vbc.exe, 00000007.00000003.327136256.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.327359764.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326799116.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.326997633.0000000002205000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: https://www.msn.com/
Source: vbc.exe, 00000007.00000003.326997633.0000000002205000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com//searchp/LinkId=255141
Source: vbc.exe, 00000007.00000002.336834099.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330636856.0000000002728000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330341195.0000000002728000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336204608.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336282988.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://micros
Source: vbc.exe, 00000007.00000003.330213728.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330764840.000000000220A000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330383964.0000000002205000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.330454176.000000000220A000.00000004.00000800.00020000.00000000.sdmp, bhv4267.tmp.7.dr String found in binary or memory: https://www.msn.com/spartan/dhp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&ishostisol
Source: unknown DNS traffic detected: queries for: 49.124.12.0.in-addr.arpa
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 26 Mar 2022 06:59:51 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCF-Chl-Bypass: 1Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTX-Frame-Options: SAMEORIGINExpect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"Set-Cookie: __cf_bm=Vd7oHkI86VCkRNhJ2ufFFOkskwgzG61jnL7.1ngI0ZI-1648277991-0-AXKGAVonDzYglQ/tiv8FR+qwypp7BnEq4lYKCAOahVihbQj4Dc3wxS0Ubdt8j3dqzSOLMUDxNAMCmdmFvxUXhL8=; path=/; expires=Sat, 26-Mar-22 07:29:51 GMT; domain=.whatismyipaddress.com; HttpOnly; SecureServer: cloudflareCF-RAY: 6f1e0185c8788ffa-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Source: vbc.exe, 00000007.00000002.336834099.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336204608.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336282988.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
Source: vbc.exe, 00000007.00000002.336834099.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336204608.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000007.00000003.336282988.0000000000ACE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.msn.com/http://www.google.com/ms-appx-web://microsoft.microsoftedge/ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.htmlms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=11001ms-appx-web://microsoft.microsoftedge/assets/errorpages/dnserror.html?ErrorStatus=0x800C0005&DNSError=10060https://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=c5003367-537c-4bc6-f11c-743a85fd800b&partnerId=retailstore2https://login.live.com/me.srfhttps://login.live.com/me.srf?wa=wsignin1.0&wreply=https%3A%2F%2Fwww.microsoft.com&uaid=8dc8b1f5-b8c0-44ac-8df2-c841e5a6aeb1&partnerId=retailstore2https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/store/buy/cartcounthttp://cookies.onetrust.mgr.consensu.org/?name=euconsent&value=&expire=0&isFirstRequest=truehttp://cookies.onetrust.mgr.consensu.org/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
Source: 7.exe, WindowsUpdate.exe.0.dr String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 7.exe, WindowsUpdate.exe.0.dr String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/beauty|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/food|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/health|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/makers|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/movies|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/music|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/parents|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/politics|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/style|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tech|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/travel|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com/tv|ntpproviders equals www.yahoo.com (Yahoo)
Source: bhv4267.tmp.7.dr String found in binary or memory: MicrosoftEdge_iecompat:www.yahoo.com|ntpproviders equals www.yahoo.com (Yahoo)
Source: WindowsUpdate.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.exe, type: SAMPLE
Source: Yara match File source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Contains functionality to log keystrokes (.Net Source)
Source: 7.exe, Form1.cs .Net Code: HookKeyboard
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: HookKeyboard
Source: 0.2.7.exe.140000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 0.0.7.exe.140000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 6_2_0040AC8A
Creates a DirectInput object (often for capturing keystrokes)
Source: WindowsUpdate.exe, 0000000B.00000002.320055684.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 7.exe, type: SAMPLE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.exe, type: SAMPLE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Detected potential crypto function
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_0014D426 0_2_0014D426
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_0014D523 0_2_0014D523
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_0015D5AE 0_2_0015D5AE
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_00157646 0_2_00157646
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_001829BE 0_2_001829BE
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_00186AF4 0_2_00186AF4
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_001AABFC 0_2_001AABFC
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_001A3C4D 0_2_001A3C4D
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_001A3CBE 0_2_001A3CBE
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_0014ED03 0_2_0014ED03
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_0017C7BC 0_2_0017C7BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404DDB 6_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040BD8A 6_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404E4C 6_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404EBD 6_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404F4E 6_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404419 7_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404516 7_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00413538 7_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004145A1 7_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040E639 7_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004337AF 7_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004399B1 7_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0043DAE7 7_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00405CF6 7_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00403F85 7_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411F99 7_2_00411F99
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004AD426 11_2_004AD426
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004AD523 11_2_004AD523
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004BD5AE 11_2_004BD5AE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004B7646 11_2_004B7646
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004E29BE 11_2_004E29BE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004E6AF4 11_2_004E6AF4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_0050ABFC 11_2_0050ABFC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00503C4D 11_2_00503C4D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00503CBE 11_2_00503CBE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004AED03 11_2_004AED03
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00503D2F 11_2_00503D2F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00503DC0 11_2_00503DC0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004ACF92 11_2_004ACF92
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004BAFA6 11_2_004BAFA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004DC7BC 11_2_004DC7BC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00C9D426 13_2_00C9D426
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CAD5AE 13_2_00CAD5AE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00C9D523 13_2_00C9D523
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CA7646 13_2_00CA7646
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CD29BE 13_2_00CD29BE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CD6AF4 13_2_00CD6AF4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CFABFC 13_2_00CFABFC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CF3CBE 13_2_00CF3CBE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CF3C4D 13_2_00CF3C4D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CF3DC0 13_2_00CF3DC0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00C9ED03 13_2_00C9ED03
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CF3D2F 13_2_00CF3D2F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00C9CF92 13_2_00C9CF92
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CAAFA6 13_2_00CAAFA6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CCC7BC 13_2_00CCC7BC
PE file contains strange resources
Source: 7.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 7.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\7.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: security.dll Jump to behavior
Uses 32bit PE files
Source: 7.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.exe, type: SAMPLE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 7.exe, type: SAMPLE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.exe, type: SAMPLE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7.exe.7650000.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7.exe.7660000.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.7.exe.27bab9c.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.521204607.0000000007650000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.521214363.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\7.exe Code function: String function: 0018BA9D appears 34 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 00CDBA9D appears 35 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 004EBA9D appears 35 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Sample file is different than original file name gathered from version info
Source: 7.exe Binary or memory string: OriginalFilename vs 7.exe
Source: 7.exe Binary or memory string: OriginalFileName vs 7.exe
Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 7.exe
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 7.exe
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 7.exe
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs 7.exe
Source: 7.exe, 00000000.00000002.515690583.00000000001C2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs 7.exe
Source: 7.exe, 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs 7.exe
Source: 7.exe, 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 7.exe
Source: 7.exe, 00000000.00000002.521204607.0000000007650000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 7.exe
Source: 7.exe Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs 7.exe
Source: 7.exe Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs 7.exe
Source: 7.exe Binary or memory string: OriginalFilenamemailpv.exe< vs 7.exe
Source: 7.exe Binary or memory string: OriginalFilenamePhulli.exe0 vs 7.exe
Source: 7.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\7.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@7/7@4/4
Source: 7.exe, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.7.exe.140000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.7.exe.140000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: WindowsUpdate.exe.0.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 7_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource, 6_2_0040ED0B
Source: 7.exe, 00000000.00000003.267943145.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.267693167.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.268064535.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.267853044.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.267439265.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp, 7.exe, 00000000.00000003.267611430.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Digitized data copyright The Monotype Corporation 1991-1995. All rights reserved.slnt
Source: 7.exe Virustotal: Detection: 83%
Source: 7.exe Metadefender: Detection: 68%
Source: 7.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\7.exe File read: C:\Users\user\Desktop\7.exe Jump to behavior
Source: C:\Users\user\Desktop\7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\7.exe "C:\Users\user\Desktop\7.exe"
Source: C:\Users\user\Desktop\7.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\Desktop\7.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\Desktop\7.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" Jump to behavior
Source: C:\Users\user\Desktop\7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File created: C:\Users\user\AppData\Local\Temp\holdermail.txt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 7_2_00415F87
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, 7.exe, 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000007.00000000.295698908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000007.00000002.336555805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000007.00000000.294642291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, WindowsUpdate.exe.0.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\7.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\7.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\7.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 7_2_00411196
Source: 7.exe, Form1.cs Base64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: WindowsUpdate.exe.0.dr, Form1.cs Base64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.2.7.exe.140000.0.unpack, Form1.cs Base64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.0.7.exe.140000.0.unpack, Form1.cs Base64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs Base64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs Base64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs Base64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs Base64 encoded string: 'jKnnv2OtHmCVbL4ukcqXfe1z4H4de/YNg8JCpqpr9q1DDxgSWA+kEDbvzq/lfM8KFapQuuMTsxM2O5Tzlzm+pg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: 7.exe String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: 7.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 7.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: WindowsUpdate.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: WindowsUpdate.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\Desktop\7.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\7.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\7.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 7.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: indows\System.pdbpdbtem.pdbUs source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Runtime.Remoting.pdbB source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0| source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, 7.exe, WindowsUpdate.exe.0.dr
Source: Binary string: System.Runtime.Remoting.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Runtime.Remoting.pdb7 source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbd source: 7.exe, 00000000.00000002.516483018.0000000002427000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 7.exe, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.exe, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.exe, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.exe, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.0.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.7.exe.140000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.7.exe.140000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.7.exe.140000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.7.exe.140000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.7.exe.140000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.7.exe.140000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.7.exe.140000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.7.exe.140000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_001B0712 push eax; ret 0_2_001B0726
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_001B0712 push eax; ret 0_2_001B074E
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_0018BA9D push eax; ret 0_2_0018BAB1
Source: C:\Users\user\Desktop\7.exe Code function: 0_2_0018BA9D push eax; ret 0_2_0018BAD9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00411879 push ecx; ret 6_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004118A0 push eax; ret 6_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004118A0 push eax; ret 6_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442871 push ecx; ret 7_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442A90 push eax; ret 7_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442A90 push eax; ret 7_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00446E54 push eax; ret 7_2_00446E61
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00510712 push eax; ret 11_2_00510726
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_00510712 push eax; ret 11_2_0051074E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004EBA9D push eax; ret 11_2_004EBAB1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_004EBA9D push eax; ret 11_2_004EBAD9
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00D00712 push eax; ret 13_2_00D00726
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00D00712 push eax; ret 13_2_00D0074E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CDBA9D push eax; ret 13_2_00CDBAB1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_00CDBA9D push eax; ret 13_2_00CDBAD9
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 6_2_00403C3D
Drops PE files
Source: C:\Users\user\Desktop\7.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\7.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\7.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\7.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_0040F64B
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\7.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\7.exe TID: 6496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7.exe TID: 6872 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7.exe TID: 6876 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7.exe TID: 6880 Thread sleep time: -41600s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7.exe TID: 4612 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\7.exe TID: 6496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4364 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5540 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6204 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\7.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\7.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Thread delayed: delay time: 140000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: bhv4267.tmp.7.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220308T094322Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=aa63b3d6130c474bb239fb07629d02b3&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: WindowsUpdate.exe, 0000000D.00000002.336781223.0000000001531000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: bhv4267.tmp.7.dr Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:D9BC7EDF-91E8-C8ED-3ED4-3B144B30C00C&ctry=US&time=20220326T065924Z&lc=en-US&pl=en-US&idtp=mid&uid=a9223225-82ba-4622-a95e-dcecd6738abd&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=2063bd904d8c466b997524b68d6ff626&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1417890&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1417890&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: WindowsUpdate.exe, 0000000B.00000002.320341711.0000000000C2C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\7.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004161B0 memset,GetSystemInfo, 7_2_004161B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 7_2_00407E0E
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00403C3D LoadLibraryA,GetProcAddress,strcpy, 6_2_00403C3D
Enables debug privileges
Source: C:\Users\user\Desktop\7.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\7.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\7.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\7.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
.NET source code references suspicious native API functions
Source: 7.exe, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 7.exe, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: WindowsUpdate.exe.0.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: WindowsUpdate.exe.0.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.2.7.exe.140000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.7.exe.140000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.0.7.exe.140000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.0.7.exe.140000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.2.WindowsUpdate.exe.c90000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.0.WindowsUpdate.exe.c90000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\7.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" Jump to behavior
Source: C:\Users\user\Desktop\7.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy, 7_2_0041604B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 6_2_0040724C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406278 GetVersionExA, 6_2_00406278
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
AV process strings found (often used to terminate AV products)
Source: 7.exe, 00000000.00000002.516042380.00000000008D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information
barindex
Yara detected MailPassView
Source: Yara match File source: 7.exe, type: SAMPLE
Source: Yara match File source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.cefa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.3777e00.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.3777e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.19fa72.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.cefa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4ffa72.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4ffa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.19fa72.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.294953383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.294308364.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.293577766.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.298222590.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.exe, type: SAMPLE
Source: Yara match File source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Tries to steal Mail credentials (via file registry)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword 6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword 6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: ESMTPPassword 6_2_004033D7
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 7.exe, type: SAMPLE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c99c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.149c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.3790020.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a9c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.3777e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c99c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a9c0d.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.149c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.3790020.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.295698908.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.336555805.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.294642291.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.518144940.0000000003771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.295228513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior

Remote Access Functionality
barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 7.exe, type: SAMPLE
Source: Yara match File source: 13.2.WindowsUpdate.exe.cefa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4ffa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.cefa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.148208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c99c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4ffa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.19fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c99c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c98208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.WindowsUpdate.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.4a9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.149c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.WindowsUpdate.exe.4a8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.c98208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.7.exe.2798d5c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.311517267.00000000004A2000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.331712368.0000000000C92000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.244290044.0000000000142000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7.exe PID: 6464, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 2372, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Detected HawkEye Rat
Source: 7.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: 7.exe String found in binary or memory: HawkEyeKeylogger
Source: 7.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: 7.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: HawkEyeKeylogger
Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: 7.exe, 00000000.00000002.516506794.0000000002771000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: 7.exe, 00000000.00000002.517727044.0000000002C5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qBAHawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txt
Source: 7.exe, 00000000.00000002.517727044.0000000002C5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q]\ftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txt
Source: 7.exe, 00000000.00000002.517727044.0000000002C5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_818225%203.26.2022%208:08:01%20AM.txt
Source: 7.exe, 00000000.00000002.517727044.0000000002C5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qcbftp://files.000webhost.com/HawkEye_Keylogger_Stealer_Records_818225%203.26.2022%208:08:01%20AM.txt
Source: 7.exe, 00000000.00000002.517749206.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qCB/HawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txt
Source: 7.exe, 00000000.00000002.517749206.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qBAHawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txtd8
Source: 7.exe, 00000000.00000002.517749206.0000000002C6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qIHSTOR HawkEye_Keylogger_Stealer_Records_818225 3.26.2022 8:08:01 AM.txt
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: 7.exe, 00000000.00000002.515370288.0000000000142000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000B.00000002.319064303.00000000004A2000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000D.00000002.336007062.0000000000C92000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: 7.exe String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: 7.exe String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: 7.exe String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: 7.exe String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe.0.dr String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe.0.dr String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe.0.dr String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe.0.dr String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_029C0A8E listen, 11_2_029C0A8E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_029C0FC6 bind, 11_2_029C0FC6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_029C0F93 bind, 11_2_029C0F93
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_029C0A50 listen, 11_2_029C0A50
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_05920A8E listen, 13_2_05920A8E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_05920FC6 bind, 13_2_05920FC6
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_05920F93 bind, 13_2_05920F93
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_05920A50 listen, 13_2_05920A50
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597511 Sample: 7.exe Startdate: 26/03/2022 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 8 other signatures 2->40 6 7.exe 16 8 2->6         started        11 WindowsUpdate.exe 5 2->11         started        13 WindowsUpdate.exe 4 2->13         started        process3 dnsIp4 26 whatismyipaddress.com 104.16.154.36, 443, 49777, 49778 CLOUDFLARENETUS United States 6->26 28 us-east-1.route-1000.000webhost.awex.io 145.14.144.149, 21, 49792 AWEXUS Netherlands 6->28 32 3 other IPs or domains 6->32 20 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 6->20 dropped 22 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 6->22 dropped 42 May check the online IP address of the machine 6->42 44 Changes the view of files in windows explorer (hidden files and folders) 6->44 46 Writes to foreign memory regions 6->46 54 3 other signatures 6->54 15 vbc.exe 1 6->15         started        18 vbc.exe 2 6->18         started        30 127.0.0.1 unknown unknown 11->30 24 C:\Users\user\...\WindowsUpdate.exe.log, ASCII 11->24 dropped 48 Antivirus detection for dropped file 11->48 50 Multi AV Scanner detection for dropped file 11->50 52 Machine Learning detection for dropped file 11->52 file5 signatures6 process7 signatures8 56 Tries to steal Mail credentials (via file registry) 15->56 58 Tries to steal Instant Messenger accounts or passwords 15->58 60 Tries to steal Mail credentials (via file / registry access) 15->60 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.154.36
 whatismyipaddress.com United States
13335 CLOUDFLARENETUS false
145.14.144.149
 us-east-1.route-1000.000webhost.awex.io Netherlands
204915 AWEXUS false

Private

IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.154.36 true
us-east-1.route-1000.000webhost.awex.io 145.14.144.149 true
files.000webhost.com unknown unknown
49.124.12.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    		high