Windows Analysis Report
slowday.exe

Overview

General Information

Sample Name:	slowday.exe
Analysis ID:	614362
MD5:	a172f4b0fa1a44cb60901944cff7f8ed
SHA1:	c4aa87ba839c2da6ed852ba0e936ac80d47ec5b5
SHA256:	94243b53eceb2662ae632d9c3e02b5b947ea56ac4ac1db3a69fc0ca3e5100816
Tags:	exehawkeyekeyloggerstealer
Infos:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Yara detected HawkEye Keylogger

Antivirus detection for URL or domain

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Multi AV Scanner detection for domain / URL

Tries to steal Mail credentials (via file / registry access)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary is likely a compiled AutoIt script file

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Sample uses process hollowing technique

Writes to foreign memory regions

.NET source code references suspicious native API functions

Yara detected WebBrowserPassView password recovery tool

AutoIt script contains suspicious strings

Tries to steal Instant Messenger accounts or passwords

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to simulate keystroke presses

Contains long sleeps (>= 3 min)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Creates a start menu entry (Start Menu\Programs\Startup)

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Contains capabilities to detect virtual machines

Potential key logger detected (key state polling based)

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://a.pomf.cat/	Avira URL Cloud: Label: phishing
Source: http://pomf.cat/upload.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe

Avira: detection malicious, Label: DR/AutoIt.Gen8

Multi AV Scanner detection for submitted file

Source: slowday.exe	Virustotal: Detection: 74%			Perma Link
Source: slowday.exe	ReversingLabs: Detection: 73%

Antivirus / Scanner detection for submitted sample

Source: slowday.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://pomf.cat/upload.php

Virustotal: Detection: 7%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.slowday.exe.dc0000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 7.0.winlogons.exe.1280000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 7.2.winlogons.exe.1280000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 1.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.3.winlogons.exe.3790000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.slowday.exe.3b50000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.slowday.exe.dc0000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 1.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen

Uses 32bit PE files

Source: slowday.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WCN\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\

Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00E2449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E2449B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	2_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	2_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	6_2_00408CAC

Source: RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhvAE74.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhvBB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvBB7.tmp.21.dr	String found in binary or memory: http://www.msn.com
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343153268.0000000002203000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343183877.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343153268.0000000002203000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343183877.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 00000002.00000002.260540499.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282611989.0000000000195000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299301709.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301868471.0000000000195000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320171342.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333176153.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346821134.000000000019C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: vbc.exe, 0000000A.00000002.302284910.00000000008F0000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320338542.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333369197.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.347050996.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src22
Source: vbc.exe, 00000002.00000002.261371537.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260277725.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282395197.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282748053.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298779879.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299948440.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=447687274835
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.261431821.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282897476.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299972783.000000000275C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317402049.0000000000B25000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330749808.0000000000B35000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv2307.tmp.23.dr, bhvED61.tmp.19.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhvAE74.tmp.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: bhvAE74.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe, 00000002.00000003.258804359.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.280774085.00000000027EB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297394519.000000000275B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317103637.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330049242.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317103637.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330049242.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000002.00000003.259269966.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258819074.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.259692750.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260195881.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281319669.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282249348.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297987936.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298543150.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297638157.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297665555.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300106270.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.301530579.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000002.00000003.259269966.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258819074.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.259692750.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260195881.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281319669.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282249348.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297987936.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298543150.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297638157.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297665555.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300106270.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.301530579.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000002.00000003.259179017.0000000002418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000002.00000003.259179017.0000000002418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000006.00000003.280821648.0000000002268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000006.00000003.280821648.0000000002268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 0000000A.00000003.299884129.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 0000000A.00000003.299884129.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 0000000A.00000003.300264453.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300134040.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 0000000A.00000003.300264453.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300134040.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000009.00000003.297406475.0000000000A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000009.00000003.297406475.0000000000A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.319838251.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332209381.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332158682.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332908452.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332070404.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.346413135.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345161813.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345356530.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.319838251.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332209381.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332158682.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332908452.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332070404.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.346413135.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345161813.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345356530.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.319209144.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.318983737.0000000000B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.319209144.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.318983737.0000000000B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.318840744.0000000000B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.318840744.0000000000B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000006.00000003.281713896.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281366728.0000000002268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000006.00000003.281713896.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281366728.0000000002268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00DC2344

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

2_2_0040F078

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00E4CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00E4CB26

Creates a window with clipboard capturing capabilities

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: slowday.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: slowday.exe, 00000000.00000002.246013311.0000000000E74000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: slowday.exe, 00000000.00000002.246013311.0000000000E74000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: winlogons.exe, 00000007.00000002.283157637.0000000001334000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: winlogons.exe, 00000007.00000002.283157637.0000000001334000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: slowday.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: slowday.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"

AutoIt script contains suspicious strings

Source: slowday.exe	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: slowday.exe	AutoIt Script: HDTNVAKFLIUTJTT = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: slowday.exe	AutoIt Script: KDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRX
Source: slowday.exe	AutoIt Script: 62178 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute
Source: winlogons.exe.0.dr	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: winlogons.exe.0.dr	AutoIt Script: HDTNVAKFLIUTJTT = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: winlogons.exe.0.dr	AutoIt Script: KDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRX
Source: winlogons.exe.0.dr	AutoIt Script: 62178 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute

Detected potential crypto function

Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DCE800	0_2_00DCE800
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DCFE40	0_2_00DCFE40
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DD70FE	0_2_00DD70FE
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DD6841	0_2_00DD6841
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DCE060	0_2_00DCE060
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DD8968	0_2_00DD8968
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DEDAF5	0_2_00DEDAF5
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DC1287	0_2_00DC1287
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DF6452	0_2_00DF6452
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DE1604	0_2_00DE1604
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00E47E0D	0_2_00E47E0D
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DF6F36	0_2_00DF6F36
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DEBF26	0_2_00DEBF26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FADCE8	1_2_00FADCE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA08B1	1_2_00FA08B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAE0A1	1_2_00FAE0A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD090	1_2_00FAD090
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAA1F1	1_2_00FAA1F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA4998	1_2_00FA4998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA5591	1_2_00FA5591
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD950	1_2_00FAD950
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7518	1_2_00FA7518
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD6B0	1_2_00FAD6B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7A19	1_2_00FA7A19
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3398	1_2_00FA3398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA8B90	1_2_00FA8B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7F10	1_2_00FA7F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FADCD8	1_2_00FADCD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA08B0	1_2_00FA08B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA38B7	1_2_00FA38B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA5890	1_2_00FA5890
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA388B	1_2_00FA388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA5880	1_2_00FA5880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3868	1_2_00FA3868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA8445	1_2_00FA8445
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA8024	1_2_00FA8024
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3C00	1_2_00FA3C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3DF9	1_2_00FA3DF9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA39DA	1_2_00FA39DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA41D8	1_2_00FA41D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA45C0	1_2_00FA45C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA4DB0	1_2_00FA4DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3580	1_2_00FA3580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD944	1_2_00FAD944
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA6D30	1_2_00FA6D30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA390D	1_2_00FA390D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FACACD	1_2_00FACACD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7EC1	1_2_00FA7EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3AB4	1_2_00FA3AB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD6AC	1_2_00FAD6AC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA369C	1_2_00FA369C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FACA89	1_2_00FACA89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3671	1_2_00FA3671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3A77	1_2_00FA3A77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FACA46	1_2_00FACA46
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3A3A	1_2_00FA3A3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FADE37	1_2_00FADE37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA6A29	1_2_00FA6A29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7A20	1_2_00FA7A20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA361B	1_2_00FA361B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3218	1_2_00FA3218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3E00	1_2_00FA3E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA37FA	1_2_00FA37FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD3F8	1_2_00FAD3F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3BF0	1_2_00FA3BF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA37B8	1_2_00FA37B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3777	1_2_00FA3777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA5768	1_2_00FA5768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3744	1_2_00FA3744
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA2730	1_2_00FA2730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3711	1_2_00FA3711
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7F09	1_2_00FA7F09
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3B0F	1_2_00FA3B0F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FADF0C	1_2_00FADF0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0044900F	2_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_004042EB	2_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00414281	2_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00410291	2_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_004063BB	2_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00415624	2_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0041668D	2_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040477F	2_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040487C	2_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043589B	2_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043BA9D	2_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043FBD3	2_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0044900F	6_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004042EB	6_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00414281	6_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00410291	6_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004063BB	6_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00415624	6_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0041668D	6_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040477F	6_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040487C	6_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043589B	6_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043BA9D	6_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043FBD3	6_2_0043FBD3

PE file contains strange resources

Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Uses 32bit PE files

Source: slowday.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Yara signature match

Source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url, type: DROPPED	Matched rule: URL_File_Local_EXE date = 2017-10-04, author = Florian Roth, description = Detects an .url file that points to a local executable, reference = https://twitter.com/malwareforme/status/915300883012870144, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044465C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044466E appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00415F19 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044468C appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00444B90 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0041607A appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0042F6EF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004162C2 appears 174 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004083D6 appears 64 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAACC8 NtUnmapViewOfSection,NtUnmapViewOfSection,	1_2_00FAACC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	2_2_0040978A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	6_2_0040978A

Sample file is different than original file name gathered from version info

Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs slowday.exe
Source: slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs slowday.exe

Source: slowday.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\slowday.exe

File created: C:\Users\user\AppData\Roaming\winlogons

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@24/18@0/1

Source: 7.3.winlogons.exe.3790000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 0.3.slowday.exe.3b50000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 8.0.RegAsm.exe.400000.1.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.RegAsm.exe.400000.1.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.0.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 8.0.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00E2A0F4 GetLastError,FormatMessageW,

0_2_00E2A0F4

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00DC4FE9

Source: slowday.exe	Virustotal: Detection: 74%
Source: slowday.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\slowday.exe

File read: C:\Users\user\Desktop\slowday.exe

Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_07EE0C02 AdjustTokenPrivileges,		1_2_07EE0C02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_07EE0BCB AdjustTokenPrivileges,		1_2_07EE0BCB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\18da55c1-2652-5cda-252b-e5d7f7077c5d

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

2_2_00418073

Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00E23C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E23C99

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\2132e5f5-d8d3-4986-a43e-f587e2be7b15
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Mutant created: \Sessions\1\BaseNamedObjects\MdmDiagnosticsTool

Source: 0.3.slowday.exe.3b50000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: slowday.exe

Static file information: File size 2010624 > 1048576

Source: slowday.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x122600

Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: slowday.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DE8AC5 push ecx; ret	0_2_00DE8AD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00DD497D push ecx; ret	1_2_00DD4985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00DD9127 push ebp; retf	1_2_00DD913D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAC5D0 push ebp; ret	1_2_00FAC5D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FABE4C push 8BFFFFFFh; retf	1_2_00FABE5E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444975 push ecx; ret	2_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444B90 push eax; ret	2_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444B90 push eax; ret	2_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00448E74 push eax; ret	2_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0042CF44 push ebx; retf 0042h	2_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444975 push ecx; ret	6_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444B90 push eax; ret	6_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444B90 push eax; ret	6_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00448E74 push eax; ret	6_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0042CF44 push ebx; retf 0042h	6_2_0042CF49

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC4D94 LoadLibraryA,GetProcAddress,

0_2_00DC4D94

PE file contains an invalid checksum

Source: winlogons.exe.0.dr	Static PE information: real checksum: 0xe3e32 should be: 0x1ec7db
Source: slowday.exe	Static PE information: real checksum: 0xe3e32 should be: 0x1f33e6

Drops PE files

Source: C:\Users\user\Desktop\slowday.exe

File created: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe

Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\slowday.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\slowday.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00DC4A35

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00443A61

Source: C:\Users\user\Desktop\slowday.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slowday.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6932	Thread sleep count: 192 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6932	Thread sleep time: -192000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5836	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4400	Thread sleep count: 156 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4400	Thread sleep time: -156000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6624	Thread sleep time: -1200000s >= -30000s	Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\slowday.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

2_2_0040978A

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\slowday.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 600000			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WCN\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\

Source: winlogons.exe, 00000007.00000003.273619408.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exe
Source: bhvBB7.tmp.21.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220308T163148Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1d7250d04496405b83823a4351e0ec8f&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1418351&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1418351&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: RegAsm.exe, 00000001.00000002.506628397.0000000001031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000001.00000002.506628397.0000000001031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_0041829C memset,GetSystemInfo,

2_2_0041829C

Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00E2449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E2449B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	2_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	2_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	6_2_00408CAC

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

2_2_0040978A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC4D94 LoadLibraryA,GetProcAddress,

0_2_00DC4D94

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DF5A39 IsDebuggerPresent,

0_2_00DF5A39

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DF5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00DF5BFC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DF9922 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00DF9922

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DEA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DEA2D5

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior

Writes to foreign memory regions

.NET source code references suspicious native API functions

Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\slowday.exe

0_2_00DC4A35

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\slowday.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp	Jump to behavior

Source: slowday.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000001.00000002.507261968.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: slowday.exe	Binary or memory string: Shell_TrayWnd
Source: winlogons.exe, 00000007.00000003.281870981.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.270071702.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.269434060.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [CLASS:Progman]

Source: C:\Users\user\Desktop\slowday.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DF5007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DF5007

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_004083A1 GetVersionExW,

2_2_004083A1

Stealing of Sensitive Information

Yara detected MailPassView

Source: Yara match	File source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.66d5bd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3004, type: MEMORYSTR

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 19.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.680dc50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.6771c10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6a21c10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.66d5bd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0345.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6985bd0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43638ed.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c38ed.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0345.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6abdc50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.66d5bd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.322785031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.265133062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.265486423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.335659001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.323179438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.289449551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251237329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.305602938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.335973967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.305230219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.287929150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.250547287.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.289148039.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.287452128.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

Remote Access Functionality

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

Detected HawkEye Rat

Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: winlogons.exe, 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: winlogons.exe, 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

AV Detection

Antivirus detection for URL or domain

Source: https://a.pomf.cat/	Avira URL Cloud: Label: phishing
Source: http://pomf.cat/upload.php	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe

Avira: detection malicious, Label: DR/AutoIt.Gen8

Multi AV Scanner detection for submitted file

Source: slowday.exe	Virustotal: Detection: 74%			Perma Link
Source: slowday.exe	ReversingLabs: Detection: 73%

Antivirus / Scanner detection for submitted sample

Source: slowday.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://pomf.cat/upload.php

Virustotal: Detection: 7%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.slowday.exe.dc0000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 7.0.winlogons.exe.1280000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 7.2.winlogons.exe.1280000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 1.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.3.winlogons.exe.3790000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.3.slowday.exe.3b50000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.slowday.exe.dc0000.0.unpack	Avira: Label: DR/AutoIt.Gen8
Source: 1.0.RegAsm.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen

Uses 32bit PE files

Source: slowday.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WCN\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\

Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00E2449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E2449B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	2_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	2_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	6_2_00408CAC

Source: RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com/
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: bhvAE74.tmp.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0B
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0E
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.digicert.com0F
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://ocsp.digicert.com0M
Source: bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bhvBB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.php
Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhvBB7.tmp.21.dr	String found in binary or memory: http://www.msn.com
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: http://www.msn.com/
Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343153268.0000000002203000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343183877.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343153268.0000000002203000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343183877.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
Source: vbc.exe, 00000002.00000002.260540499.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282611989.0000000000195000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299301709.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301868471.0000000000195000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320171342.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333176153.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346821134.000000000019C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: vbc.exe, 0000000A.00000002.302284910.00000000008F0000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320338542.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333369197.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.347050996.0000000000980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src22
Source: vbc.exe, 00000002.00000002.261371537.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260277725.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282395197.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282748053.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298779879.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299948440.0000000000A4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=447687274835
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.261431821.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282897476.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299972783.000000000275C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317402049.0000000000B25000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330749808.0000000000B35000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.pomf.cat/
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
Source: bhv2307.tmp.23.dr, bhvED61.tmp.19.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/48/nrrV18753.js
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Google
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
Source: bhvAE74.tmp.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
Source: bhvAE74.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe, 00000002.00000003.258804359.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.280774085.00000000027EB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297394519.000000000275B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://pki.goog/repository/0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317103637.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330049242.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317103637.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330049242.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.dr	String found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr	String found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js

Source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 00000002.00000003.259269966.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258819074.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.259692750.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260195881.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281319669.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282249348.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297987936.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298543150.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297638157.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297665555.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300106270.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.301530579.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000002.00000003.259269966.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258819074.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.259692750.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260195881.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281319669.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282249348.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297987936.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298543150.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297638157.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297665555.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300106270.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.301530579.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000002.00000003.259179017.0000000002418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000002.00000003.259179017.0000000002418000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000006.00000003.280821648.0000000002268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000006.00000003.280821648.0000000002268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 0000000A.00000003.299884129.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 0000000A.00000003.299884129.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 0000000A.00000003.300264453.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300134040.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 0000000A.00000003.300264453.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300134040.0000000002288000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000009.00000003.297406475.0000000000A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000009.00000003.297406475.0000000000A08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.319838251.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332209381.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332158682.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332908452.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332070404.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.346413135.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345161813.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345356530.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.319838251.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332209381.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332158682.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332908452.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332070404.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.346413135.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345161813.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345356530.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.319209144.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.318983737.0000000000B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.319209144.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.318983737.0000000000B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.318840744.0000000000B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000013.00000003.318840744.0000000000B24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000006.00000003.281713896.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281366728.0000000002268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe, 00000006.00000003.281713896.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281366728.0000000002268000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00DC2344

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,

2_2_0040F078

Potential key logger detected (key state polling based)

Source: C:\Users\user\Desktop\slowday.exe

0_2_00E4CB26

Creates a window with clipboard capturing capabilities

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEyeV9 payload Author: ditekshen
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEye v9 Payload Author: ditekshen
Source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects BabyShark KimJongRAT Author: Florian Roth
Source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR	Matched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth

Binary is likely a compiled AutoIt script file

Source: slowday.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: slowday.exe, 00000000.00000002.246013311.0000000000E74000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: slowday.exe, 00000000.00000002.246013311.0000000000E74000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: winlogons.exe, 00000007.00000002.283157637.0000000001334000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: winlogons.exe, 00000007.00000002.283157637.0000000001334000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: slowday.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: slowday.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"

AutoIt script contains suspicious strings

Source: slowday.exe	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: slowday.exe	AutoIt Script: HDTNVAKFLIUTJTT = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: slowday.exe	AutoIt Script: KDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRX
Source: slowday.exe	AutoIt Script: 62178 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute
Source: winlogons.exe.0.dr	AutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
Source: winlogons.exe.0.dr	AutoIt Script: HDTNVAKFLIUTJTT = ["vmtoolsd.exe" , "vbox.exe" ] FO
Source: winlogons.exe.0.dr	AutoIt Script: KDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRX
Source: winlogons.exe.0.dr	AutoIt Script: 62178 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute

Detected potential crypto function

Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DCE800	0_2_00DCE800
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DCFE40	0_2_00DCFE40
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DD70FE	0_2_00DD70FE
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DD6841	0_2_00DD6841
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DCE060	0_2_00DCE060
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DD8968	0_2_00DD8968
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DEDAF5	0_2_00DEDAF5
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DC1287	0_2_00DC1287
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DF6452	0_2_00DF6452
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DE1604	0_2_00DE1604
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00E47E0D	0_2_00E47E0D
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DF6F36	0_2_00DF6F36
Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DEBF26	0_2_00DEBF26
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FADCE8	1_2_00FADCE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA08B1	1_2_00FA08B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAE0A1	1_2_00FAE0A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD090	1_2_00FAD090
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAA1F1	1_2_00FAA1F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA4998	1_2_00FA4998
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA5591	1_2_00FA5591
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD950	1_2_00FAD950
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7518	1_2_00FA7518
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD6B0	1_2_00FAD6B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7A19	1_2_00FA7A19
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3398	1_2_00FA3398
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA8B90	1_2_00FA8B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7F10	1_2_00FA7F10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FADCD8	1_2_00FADCD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA08B0	1_2_00FA08B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA38B7	1_2_00FA38B7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA5890	1_2_00FA5890
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA388B	1_2_00FA388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA5880	1_2_00FA5880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3868	1_2_00FA3868
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA8445	1_2_00FA8445
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA8024	1_2_00FA8024
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3C00	1_2_00FA3C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3DF9	1_2_00FA3DF9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA39DA	1_2_00FA39DA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA41D8	1_2_00FA41D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA45C0	1_2_00FA45C0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA4DB0	1_2_00FA4DB0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3580	1_2_00FA3580
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD944	1_2_00FAD944
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA6D30	1_2_00FA6D30
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA390D	1_2_00FA390D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FACACD	1_2_00FACACD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7EC1	1_2_00FA7EC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3AB4	1_2_00FA3AB4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD6AC	1_2_00FAD6AC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA369C	1_2_00FA369C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FACA89	1_2_00FACA89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3671	1_2_00FA3671
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3A77	1_2_00FA3A77
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FACA46	1_2_00FACA46
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3A3A	1_2_00FA3A3A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FADE37	1_2_00FADE37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA6A29	1_2_00FA6A29
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7A20	1_2_00FA7A20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA361B	1_2_00FA361B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3218	1_2_00FA3218
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3E00	1_2_00FA3E00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA37FA	1_2_00FA37FA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAD3F8	1_2_00FAD3F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3BF0	1_2_00FA3BF0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA37B8	1_2_00FA37B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3777	1_2_00FA3777
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA5768	1_2_00FA5768
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3744	1_2_00FA3744
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA2730	1_2_00FA2730
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3711	1_2_00FA3711
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA7F09	1_2_00FA7F09
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FA3B0F	1_2_00FA3B0F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FADF0C	1_2_00FADF0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0044900F	2_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_004042EB	2_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00414281	2_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00410291	2_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_004063BB	2_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00415624	2_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0041668D	2_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040477F	2_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040487C	2_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043589B	2_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043BA9D	2_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0043FBD3	2_2_0043FBD3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0044900F	6_2_0044900F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004042EB	6_2_004042EB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00414281	6_2_00414281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00410291	6_2_00410291
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004063BB	6_2_004063BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00415624	6_2_00415624
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0041668D	6_2_0041668D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040477F	6_2_0040477F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040487C	6_2_0040487C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043589B	6_2_0043589B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043BA9D	6_2_0043BA9D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0043FBD3	6_2_0043FBD3

PE file contains strange resources

Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: slowday.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: winlogons.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: sfc.dll			Jump to behavior

Uses 32bit PE files

Source: slowday.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE

Yara signature match

Source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
Source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR	Matched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url, type: DROPPED	Matched rule: URL_File_Local_EXE date = 2017-10-04, author = Florian Roth, description = Detects an .url file that points to a local executable, reference = https://twitter.com/malwareforme/status/915300883012870144, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044465C appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044466E appears 40 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00415F19 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0044468C appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00444B90 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0041607A appears 132 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 0042F6EF appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004162C2 appears 174 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004083D6 appears 64 times

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAACC8 NtUnmapViewOfSection,NtUnmapViewOfSection,	1_2_00FAACC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	2_2_0040978A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	6_2_0040978A

Sample file is different than original file name gathered from version info

Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs slowday.exe
Source: slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameReborn Stub.exe" vs slowday.exe

Source: slowday.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\slowday.exe

File created: C:\Users\user\AppData\Roaming\winlogons

Jump to behavior

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winEXE@24/18@0/1

Source: 7.3.winlogons.exe.3790000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 0.3.slowday.exe.3b50000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 8.0.RegAsm.exe.400000.1.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.RegAsm.exe.400000.1.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.0.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.cs	Security API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
Source: 8.0.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.cs	Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00E2A0F4 GetLastError,FormatMessageW,

0_2_00E2A0F4

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00DC4FE9

Source: slowday.exe	Virustotal: Detection: 74%
Source: slowday.exe	ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\slowday.exe

File read: C:\Users\user\Desktop\slowday.exe

Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_07EE0C02 AdjustTokenPrivileges,		1_2_07EE0C02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_07EE0BCB AdjustTokenPrivileges,		1_2_07EE0BCB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\18da55c1-2652-5cda-252b-e5d7f7077c5d

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

2_2_00418073

Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00E23C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E23C99

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\2132e5f5-d8d3-4986-a43e-f587e2be7b15
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Mutant created: \Sessions\1\BaseNamedObjects\MdmDiagnosticsTool

Source: 0.3.slowday.exe.3b50000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: slowday.exe

Static file information: File size 2010624 > 1048576

Source: slowday.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x122600

Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: slowday.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: slowday.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: slowday.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00DE8AC5 push ecx; ret	0_2_00DE8AD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00DD497D push ecx; ret	1_2_00DD4985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00DD9127 push ebp; retf	1_2_00DD913D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FAC5D0 push ebp; ret	1_2_00FAC5D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 1_2_00FABE4C push 8BFFFFFFh; retf	1_2_00FABE5E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444975 push ecx; ret	2_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444B90 push eax; ret	2_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00444B90 push eax; ret	2_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00448E74 push eax; ret	2_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0042CF44 push ebx; retf 0042h	2_2_0042CF49
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444975 push ecx; ret	6_2_00444985
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444B90 push eax; ret	6_2_00444BA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00444B90 push eax; ret	6_2_00444BCC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00448E74 push eax; ret	6_2_00448E81
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0042CF44 push ebx; retf 0042h	6_2_0042CF49

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC4D94 LoadLibraryA,GetProcAddress,

0_2_00DC4D94

PE file contains an invalid checksum

Source: winlogons.exe.0.dr	Static PE information: real checksum: 0xe3e32 should be: 0x1ec7db
Source: slowday.exe	Static PE information: real checksum: 0xe3e32 should be: 0x1f33e6

Drops PE files

Source: C:\Users\user\Desktop\slowday.exe

File created: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe

Jump to dropped file

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\slowday.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url

Jump to behavior

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\slowday.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\Desktop\slowday.exe

0_2_00DC4A35

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

2_2_00443A61

Source: C:\Users\user\Desktop\slowday.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\slowday.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6932	Thread sleep count: 192 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6932	Thread sleep time: -192000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5836	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4400	Thread sleep count: 156 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4400	Thread sleep time: -156000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6624	Thread sleep time: -1200000s >= -30000s	Jump to behavior

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\slowday.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

2_2_0040978A

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\slowday.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 600000			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 600000			Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WCN\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\

Source: winlogons.exe, 00000007.00000003.273619408.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.exe
Source: bhvBB7.tmp.21.dr	Binary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220308T163148Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1d7250d04496405b83823a4351e0ec8f&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1418351&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1418351&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
Source: RegAsm.exe, 00000001.00000002.506628397.0000000001031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000001.00000002.506628397.0000000001031000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_0041829C memset,GetSystemInfo,

2_2_0041829C

Source: C:\Users\user\Desktop\slowday.exe	Code function: 0_2_00E2449B GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E2449B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	2_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	2_2_00408CAC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,	6_2_0040938F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,	6_2_00408CAC

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

2_2_0040978A

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DC4D94 LoadLibraryA,GetProcAddress,

0_2_00DC4D94

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DF5A39 IsDebuggerPresent,

0_2_00DF5A39

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\slowday.exe

0_2_00DF5BFC

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\slowday.exe

0_2_00DF9922

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DEA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00DEA2D5

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A	Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000	Jump to behavior

Writes to foreign memory regions

.NET source code references suspicious native API functions

Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')

Contains functionality to simulate keystroke presses

Source: C:\Users\user\Desktop\slowday.exe

0_2_00DC4A35

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\slowday.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp	Jump to behavior

Source: slowday.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000001.00000002.507261968.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: slowday.exe	Binary or memory string: Shell_TrayWnd
Source: winlogons.exe, 00000007.00000003.281870981.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.270071702.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.269434060.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [CLASS:Progman]

Source: C:\Users\user\Desktop\slowday.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\slowday.exe

Code function: 0_2_00DF5007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DF5007

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 2_2_004083A1 GetVersionExW,

2_2_004083A1

Stealing of Sensitive Information

Yara detected MailPassView

Source: Yara match	File source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.66d5bd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3004, type: MEMORYSTR

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 19.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.680dc50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.6771c10.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6a21c10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.66d5bd0.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0345.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6985bd0.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43638ed.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c38ed.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.ec0345.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6abdc50.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.66d5bd0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.322785031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.265133062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.265486423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.335659001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.323179438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.289449551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.251237329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.305602938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.335973967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.305230219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.287929150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.250547287.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.289148039.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.287452128.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 6244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 3356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 4724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 5852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

Remote Access Functionality

Yara detected HawkEye Keylogger

Source: Yara match	File source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

Detected HawkEye Rat

Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: winlogons.exe, 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: winlogons.exe, 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
Source: RegAsm.exe, 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp	String found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

Windows Analysis Report
slowday.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Source: unknown	Process created: C:\Users\user\Desktop\slowday.exe "C:\Users\user\Desktop\slowday.exe"
Source: C:\Users\user\Desktop\slowday.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp
Source: unknown	Process created: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe "C:\Users\user\AppData\Roaming\winlogons\winlogons.exe"
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp
Source: C:\Users\user\Desktop\slowday.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp	Jump to behavior

ID:	614362
Product:	CloudBasic
Start time:	19:14:12
Start date:	23.04.2022
Sample:	slowday.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a172f4b0fa1a44cb60901944cff7f8ed
SHA1:	c4aa87ba839c2da6ed852ba0e936ac80d47ec5b5
SHA256:	94243b53eceb2662ae632d9c3e02b5b947ea56ac4ac1db3a69fc0ca3e5100816
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\18da55c1-2652-5cda-252b-e5d7f7077c5d	ASCII text, with no line terminators	454353131947D1483FF5470107478978	C559163C23E5F878BE85D05F3EDEEAA620173C3D	2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668
C:\Users\user\AppData\Local\Temp\bhv2307.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x35b8f545, page size 32768, DirtyShutdown, Windows version 10.0	A29FCFA1238DD40058924399606698C9	113F267240602D5516B2972C04152FB4D451B05D	F32F052AAB7FFAF25E7F9265432B5CB2DB91D7520314AAE253363D23BCEC7D86
C:\Users\user\AppData\Local\Temp\bhv8783.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x9c149ac1, page size 32768, DirtyShutdown, Windows version 10.0	D6AAAD36F7D6E3DE6ED37B9A4F6BD7E7	A0775CE9569D571E9305AAE0592C0BE634B49C14	4D6578EDF445C1292D3ABFA6DC0D182239E20403EBA97B3B46326593F31DD11A
C:\Users\user\AppData\Local\Temp\bhvAE74.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x9c149ac1, page size 32768, DirtyShutdown, Windows version 10.0	3E484594120CF921845E093FA28D203E	9330BE53E846459F2DB39B91DF261047A4C94042	D42DFE409DC2D00C82064DB537F05FBA4F8D14053BB334F623D552EA659A1315
C:\Users\user\AppData\Local\Temp\bhvBB7.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x35b8f545, page size 32768, DirtyShutdown, Windows version 10.0	A29FCFA1238DD40058924399606698C9	113F267240602D5516B2972C04152FB4D451B05D	F32F052AAB7FFAF25E7F9265432B5CB2DB91D7520314AAE253363D23BCEC7D86
C:\Users\user\AppData\Local\Temp\bhvCA97.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x9c149ac1, page size 32768, DirtyShutdown, Windows version 10.0	3E484594120CF921845E093FA28D203E	9330BE53E846459F2DB39B91DF261047A4C94042	D42DFE409DC2D00C82064DB537F05FBA4F8D14053BB334F623D552EA659A1315
C:\Users\user\AppData\Local\Temp\bhvCE9E.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x9c149ac1, page size 32768, DirtyShutdown, Windows version 10.0	A3DE8A8853138C76F5583A576E75DFFA	0644DFDCFFAE7C52A12C2D285BBCB498638D456F	5A9D1B9DE28AE17A1B90FE500DF091517A4BA2DDB66CD2F82BE076A3B872E7B1
C:\Users\user\AppData\Local\Temp\bhvED61.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x2dfa5ec5, page size 32768, DirtyShutdown, Windows version 10.0	47BD8351E5AEA2D90AC4C82BC2632289	A0FEE3EFD2B3F93726A0DA36CA74211498211778	3864AE293CEE5140D689C2F6CAF0A04E1C0FCD48989C8FDCCD43AE3088A17D88
C:\Users\user\AppData\Local\Temp\tmp33E2.tmp	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp36CB.tmp	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp43C.tmp	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp8255.tmp	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url	MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\winlogons\winlogons.exe>), ASCII text, with CR line terminators	AB33794F41AD76E56615A37D6622EA5C	7B5EF2A89CE529D5571631A1A82B312CF8E190E7	B76FE7B226CAE1B013CFEF062E7CDD14B6E4DED9A1BC9200DDBC05535DA25FFD
C:\Users\user\AppData\Roaming\winlogons\winlogons.exe	PE32 executable (GUI) Intel 80386, for MS Windows	1C7E2FF84A8DA304070EC91B0FFC3051	B5E7C2EFE4CDF7AE512F4F1019C87386E7297D97	22887A6408711F60A471787845A385030E039DE5D5929199212886097DB2B610
C:\Users\user\AppData\Roaming\winlogons\winlogons.vbs	ASCII text, with CR line terminators	15D4DD1FDB941819CD0A875B88758F0E	D3473C83D39CB6DD96DDF534AB4037FF32E6136F	3F65EF50D30ADD441269973C0375B01CDF61C5B0656EFDE20A42EA7622398041

Windows Analysis Report slowday.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
slowday.exe