Loading ...

Play interactive tourEdit tour

Analysis Report 4bb2HFlPzo

Overview

General Information

Sample Name:4bb2HFlPzo (renamed file extension from none to exe)
MD5:4b1b796b4570ba551ea2e858eb0aed11
SHA1:500e66a61d755a263a0b2e954e7536f18beace7d
SHA256:a399b7d0e0d22e8a49c37d02fd7e87ab1f50492d9b9fb98181bfa135caf44cab

Most interesting Screenshot:

Detection

HawkEye
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 4bb2HFlPzo.exe (PID: 3104 cmdline: 'C:\Users\user\Desktop\4bb2HFlPzo.exe' MD5: 4B1B796B4570BA551EA2E858EB0AED11)
    • 4bb2HFlPzo.exe (PID: 5200 cmdline: {path} MD5: 4B1B796B4570BA551EA2E858EB0AED11)
      • vbc.exe (PID: 1108 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFFF3.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4036 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpF540.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "browserpv", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000001.00000003.1066238354.0000000004F92000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
        • 0x168c96:$s1: HawkEye Keylogger
        • 0x168cfb:$s1: HawkEye Keylogger
        • 0x2c0ae6:$s1: HawkEye Keylogger
        • 0x2c0b4b:$s1: HawkEye Keylogger
        • 0x162230:$s2: _ScreenshotLogger
        • 0x2ba080:$s2: _ScreenshotLogger
        • 0x1621fd:$s3: _PasswordStealer
        • 0x2ba04d:$s3: _PasswordStealer
        00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            1.2.4bb2HFlPzo.exe.400000.0.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0xa1fc6:$s1: HawkEye Keylogger
            • 0xa202b:$s1: HawkEye Keylogger
            • 0x9b560:$s2: _ScreenshotLogger
            • 0x9b52d:$s3: _PasswordStealer
            1.2.4bb2HFlPzo.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              1.2.4bb2HFlPzo.exe.400000.0.unpackHawkEyev9HawkEye v9 Payloadditekshen
              • 0x9b52d:$str1: _PasswordStealer
              • 0x9b53e:$str2: _KeyStrokeLogger
              • 0x9b560:$str3: _ScreenshotLogger
              • 0x9b54f:$str4: _ClipboardLogger
              • 0x9b572:$str5: _WebCamLogger
              • 0x9b687:$str6: _AntiVirusKiller
              • 0x9b675:$str7: _ProcessElevation
              • 0x9b63c:$str8: _DisableCommandPrompt
              • 0x9b742:$str9: _WebsiteBlocker
              • 0x9b752:$str9: _WebsiteBlocker
              • 0x9b628:$str10: _DisableTaskManager
              • 0x9b6a3:$str11: _AntiDebugger
              • 0x9b72d:$str12: _WebsiteVisitorSites
              • 0x9b652:$str13: _DisableRegEdit
              • 0x9b6b1:$str14: _ExecutionDelay
              • 0x9b5d6:$str15: _InstallStartupPersistance
              3.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                Click to see the 4 entries

                Sigma Overview


                System Summary:

                barindex
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFFF3.tmp', CommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFFF3.tmp', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\4bb2HFlPzo.exe, ParentProcessId: 5200, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFFF3.tmp', ProcessId: 1108

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 4bb2HFlPzo.exe.5200.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "browserpv", "mailpv"], "Version": ""}
                Multi AV Scanner detection for domain / URLShow sources
                Source: http://pomf.cat/upload.phpVirustotal: Detection: 11%Perma Link
                Source: https://a.pomf.cat/Virustotal: Detection: 7%Perma Link
                Multi AV Scanner detection for submitted fileShow sources
                Source: 4bb2HFlPzo.exeVirustotal: Detection: 54%Perma Link
                Machine Learning detection for sampleShow sources
                Source: 4bb2HFlPzo.exeJoe Sandbox ML: detected
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004078FB FindFirstFileW,FindNextFileW,2_2_004078FB

                Source: vbc.exe, 00000002.00000002.1078526508.0000000000B0A000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.1291757497.00000000001FA000.00000004.00000001.sdmpString found in binary or memory: //go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000002.00000002.1078526508.0000000000B0A000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.1291757497.00000000001FA000.00000004.00000001.sdmpString found in binary or memory: //go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exe, 00000002.00000003.1077112823.0000000000B09000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291133618.00000000001F9000.00000004.00000001.sdmpString found in binary or memory: ://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1&IsFRE=1https://www.msn.com/spartan/ientpres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000002.00000003.1077112823.0000000000B09000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291133618.00000000001F9000.00000004.00000001.sdmpString found in binary or memory: ://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://www.microsoft.com/en-us/welcomeie11/welcomeie11https://www.microsoft.com/en-us/welcomeie11/https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1&IsFRE=1https://www.msn.com/spartan/ientpres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.1077539020.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpString found in binary or memory: C0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login+ID equals www.facebook.com (Facebook)
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.1077539020.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpString found in binary or memory: C0123456789ABCDEFURL index.dathttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login+ID equals www.yahoo.com (Yahoo)
                Source: vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: deo-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF ^ equals www.facebook.com (Facebook)
                Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: ideo Calling","url":"https://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-308
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/P
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: vbc.exe, 00000002.00000002.1080217588.0000000002900000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.1294178516.00000000027B0000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com0
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmp, 4bb2HFlPzo.exe, 00000001.00000002.1482683687.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HP
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explor
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wm
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: vbc.exe, 00000002.00000002.1077461632.0000000000193000.00000004.00000010.sdmp, vbc.exe, 00000003.00000002.1291683152.0000000000193000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: 4bb2HFlPzo.exe, 00000001.00000003.1066238354.0000000004F92000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000002.00000002.1077539020.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1072560988.0000000005FB6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
                Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: https://support.g
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: https://support.google.P9
                Source: vbc.exe, 00000002.00000002.1080217588.0000000002900000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.1294178516.00000000027B0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.co0
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrom
                Source: vbc.exe, 00000002.00000002.1080217588.0000000002900000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.1294178516.00000000027B0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin0
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.1078637792.00000000022DC000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290018048.00000000021F5000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                Source: vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                Source: vbc.exe, 00000002.00000003.1076931024.00000000022D0000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.1078637792.00000000022DC000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290018048.00000000021F5000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1291197550.00000000021F0000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                Source: vbc.exe, 00000002.00000002.1080217588.0000000002900000.00000004.00000001.sdmp, vbc.exe, 00000003.00000002.1294178516.00000000027B0000.00000004.00000001.sdmpString found in binary or memory: https://support.googlp
                Source: vbc.exe, 00000002.00000003.1076756568.0000000002901000.00000004.00000001.sdmp, vbc.exe, 00000003.00000003.1290883920.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: https://support.microsoft
                Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1482683687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1486913150.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4bb2HFlPzo.exe PID: 3104, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4bb2HFlPzo.exe PID: 5200, type: MEMORY
                Source: Yara matchFile source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, type: UNPACKEDPE
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00441090 OpenClipboard,GetLastError,DeleteFileW,2_2_00441090
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
                Source: 00000001.00000002.1482683687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
                Source: 00000001.00000002.1486913150.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
                Source: Process Memory Space: 4bb2HFlPzo.exe PID: 3104, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
                Source: Process Memory Space: 4bb2HFlPzo.exe PID: 5200, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02930DDA NtQuerySystemInformation,0_2_02930DDA
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02930DA0 NtQuerySystemInformation,0_2_02930DA0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B511 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B511
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B34E NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B34E
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B3F3 NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,1_2_0331B3F3
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B5DF NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B5DF
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B7CE NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B7CE
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B01A NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B01A
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B48B NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B48B
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B978 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B978
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B952 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B952
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B55F NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B55F
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B786 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B786
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B836 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B836
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B638 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B638
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B828 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B828
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B677 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B677
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B264 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B264
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B650 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B650
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B254 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B254
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B69B NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B69B
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B8CC NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_0331B8CC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00407D84 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,2_2_00407D84
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02892CE00_2_02892CE0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_0289001B0_2_0289001B
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02897DC80_2_02897DC8
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_0289131B0_2_0289131B
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_028900900_2_02890090
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_028990900_2_02899090
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02897E6A0_2_02897E6A
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02898FE80_2_02898FE8
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_028983790_2_02898379
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033149981_2_03314998
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03311D801_2_03311D80
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033181E01_2_033181E0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033173E91_2_033173E9
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331CA381_2_0331CA38
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331B01A1_2_0331B01A
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331C6701_2_0331C670
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331C0401_2_0331C040
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033108B01_2_033108B0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03318E901_2_03318E90
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331A4981_2_0331A498
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033178F01_2_033178F0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331C2E01_2_0331C2E0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033134D01_2_033134D0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03311D311_2_03311D31
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033127301_2_03312730
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033127201_2_03312720
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033137111_2_03313711
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033169081_2_03316908
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331390D1_2_0331390D
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313B0F1_2_03313B0F
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033137771_2_03313777
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331BD781_2_0331BD78
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313B631_2_03313B63
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03317D681_2_03317D68
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033187581_2_03318758
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03317D581_2_03317D58
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033137441_2_03313744
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033187491_2_03318749
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033181B11_2_033181B1
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03314DB01_2_03314DB0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033145B01_2_033145B0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033137B81_2_033137B8
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331C7BF1_2_0331C7BF
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03314DA21_2_03314DA2
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331A9AC1_2_0331A9AC
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033135801_2_03313580
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331BD831_2_0331BD83
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313B871_2_03313B87
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331BD881_2_0331BD88
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033149881_2_03314988
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313DF01_2_03313DF0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331A9F81_2_0331A9F8
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033137FA1_2_033137FA
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033141D81_2_033141D8
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033139DA1_2_033139DA
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033145C01_2_033145C0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033141C81_2_033141C8
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03315A301_2_03315A30
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331C0301_2_0331C030
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313A3A1_2_03313A3A
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331A63E1_2_0331A63E
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03315A201_2_03315A20
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331CA281_2_0331CA28
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033108171_2_03310817
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033132181_2_03313218
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331361B1_2_0331361B
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033108011_2_03310801
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313C001_2_03313C00
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313E001_2_03313E00
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033136711_2_03313671
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313A771_2_03313A77
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331C6621_2_0331C662
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033138681_2_03313868
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03313AB41_2_03313AB4
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033138B71_2_033138B7
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331C8941_2_0331C894
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331369C1_2_0331369C
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331388B1_2_0331388B
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033182F41_2_033182F4
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033168F81_2_033168F8
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033178E01_2_033178E0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_0331C2D01_2_0331C2D0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_033182C21_2_033182C2
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040C0252_2_0040C025
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004301DB2_2_004301DB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040527B2_2_0040527B
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004472342_2_00447234
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004052EC2_2_004052EC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040535D2_2_0040535D
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0044630A2_2_0044630A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004053EE2_2_004053EE
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004465B02_2_004465B0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040E6512_2_0040E651
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043662E2_2_0043662E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004477432_2_00447743
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043A8EB2_2_0043A8EB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004059662_2_00405966
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0044696D2_2_0044696D
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00404BB02_2_00404BB0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00446C782_2_00446C78
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040FDCC2_2_0040FDCC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00405DFA2_2_00405DFA
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00410E402_2_00410E40
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00405EF72_2_00405EF7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00446E9F2_2_00446E9F
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004106CD appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00410A75 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 0041082E appears 67 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004481F0 appears 41 times
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs 4bb2HFlPzo.exe
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1071435763.0000000005160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 4bb2HFlPzo.exe
                Source: 4bb2HFlPzo.exe, 00000000.00000000.1058339706.000000000057E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSAWRpQVxZOp.exe4 vs 4bb2HFlPzo.exe
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1067107069.0000000002940000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSnakeLib.dll2 vs 4bb2HFlPzo.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1491364011.0000000008390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs 4bb2HFlPzo.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1483312377.0000000000EFE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSAWRpQVxZOp.exe4 vs 4bb2HFlPzo.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486913150.00000000036F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReborn Stub.exe" vs 4bb2HFlPzo.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1491683528.0000000008490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 4bb2HFlPzo.exe
                Source: 4bb2HFlPzo.exeBinary or memory string: OriginalFilenameSAWRpQVxZOp.exe4 vs 4bb2HFlPzo.exe
                Source: 00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000001.00000002.1482683687.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000001.00000002.1486913150.00000000036F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: 4bb2HFlPzo.exe PID: 3104, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: 4bb2HFlPzo.exe PID: 5200, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
                Source: 4bb2HFlPzo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u202d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u200d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u200b????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u202a????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/4@0/0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0041239C GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,2_2_0041239C
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02930D0A AdjustTokenPrivileges,0_2_02930D0A
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02930CD3 AdjustTokenPrivileges,0_2_02930CD3
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_083A0AD2 AdjustTokenPrivileges,1_2_083A0AD2
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_083A0A9B AdjustTokenPrivileges,1_2_083A0A9B
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00412826 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,2_2_00412826
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0040DA46 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,2_2_0040DA46
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00446250 GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,2_2_00446250
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\4bb2HFlPzo.exe.logJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeMutant created: \Sessions\1\BaseNamedObjects\nlbGwIjQjBrdeUn
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeFile created: C:\Users\user\AppData\Local\Temp\938add49-c60b-3b5f-1bfb-50e6a0d7c794Jump to behavior
                Source: 4bb2HFlPzo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, 00000002.00000002.1077539020.0000000000400000.00000040.00000001.sdmp, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: 4bb2HFlPzo.exeVirustotal: Detection: 54%
                Source: unknownProcess created: C:\Users\user\Desktop\4bb2HFlPzo.exe 'C:\Users\user\Desktop\4bb2HFlPzo.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\4bb2HFlPzo.exe {path}
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFFF3.tmp'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpF540.tmp'
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess created: C:\Users\user\Desktop\4bb2HFlPzo.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFFF3.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpF540.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: 4bb2HFlPzo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: 4bb2HFlPzo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: 4bb2HFlPzo.exe, 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, vbc.exe, vbc.exe, 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmp
                Source: Binary string: C:\Users\Vendetta\Desktop\crypts\SnakeCsharp-master\Snake\obj\Debug\SnakeLib.pdb source: 4bb2HFlPzo.exe, 00000000.00000002.1067107069.0000000002940000.00000004.00000001.sdmp
                Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: 4bb2HFlPzo.exe, 00000001.00000003.1066238354.0000000004F92000.00000004.00000001.sdmp
                Source: Binary string: mscorrc.pdb source: 4bb2HFlPzo.exe, 00000000.00000002.1071435763.0000000005160000.00000002.00000001.sdmp, 4bb2HFlPzo.exe, 00000001.00000002.1491683528.0000000008490000.00000002.00000001.sdmp

                Data Obfuscation:

                barindex
                Binary contains a suspicious time stampShow sources
                Source: initial sampleStatic PE information: 0x8F8ED1F3 [Sat Apr 28 04:15:47 2046 UTC]
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00402CAB LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,2_2_00402CAB
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_0056E005 push es; retf 0_2_0056E012
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 0_2_02899D40 push esp; ret 0_2_02899DE9
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_00EEE005 push es; retf 1_2_00EEE012
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_031E0E50 push esp; ret 1_2_031E0E53
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_031E0EA8 push esp; ret 1_2_031E0EAB
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03319F28 push eax; iretd 1_2_03319F29
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03312F1C push ss; retf 1_2_03312F1D
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_03312FA5 push ss; retf 1_2_03312FA6
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: 1_2_083A1FB7 push 6AEBC381h; ret 1_2_083A2011
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004481F0 push eax; ret 2_2_00448204
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004481F0 push eax; ret 2_2_0044822C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0044C9F4 push eax; ret 2_2_0044CA01
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_0043CF29 pushad ; retf 0043h2_2_0043CF2A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00447FD5 push ecx; ret 2_2_00447FE5
                Source: initial sampleStatic PE information: section name: .text entropy: 7.94078407374

                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT MacAddress FROM Win32_NetworkAdapterConfiguration
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00407D84 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,2_2_00407D84
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: GetAdaptersInfo,1_2_083A1502
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeCode function: GetAdaptersInfo,1_2_083A14E0
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exe TID: 4488Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exe TID: 4228Thread sleep count: 232 > 30Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exe TID: 4228Thread sleep time: -232000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exe TID: 1388Thread sleep count: 61 > 30Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exe TID: 1388Thread sleep time: -61000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exe TID: 556Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004078FB FindFirstFileW,FindNextFileW,2_2_004078FB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00412A4F memset,GetSystemInfo,2_2_00412A4F
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess information queried: ProcessInformationJump to behavior

                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00407D84 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,2_2_00407D84
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00402CAB LoadLibraryW,GetProcAddress,FreeLibrary,#17,MessageBoxW,2_2_00402CAB
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                .NET source code references suspicious native API functionsShow sources
                Source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, u200d????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'FindResource@kernel32.dll'), ('?????????????????????????????????????????', 'capGetDriverDescriptionA@avicap32.dll'), ('?????????????????????????????????????????', 'WriteProcessMemory@kernel32.dll'), ('????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'VirtualAllocEx@kernel32.dll'), ('?????????????????????????????????????????', 'ReadProcessMemory@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeMemory written: C:\Users\user\Desktop\4bb2HFlPzo.exe base: 400000 value starts with: 4D5AJump to behavior
                Sample uses process hollowing techniqueShow sources
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess created: C:\Users\user\Desktop\4bb2HFlPzo.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpFFF3.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmpF540.tmp'Jump to behavior
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486913150.00000000036F9000.00000004.00000001.sdmpBinary or memory string: Program Manager
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1484849001.0000000001C80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1484849001.0000000001C80000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1484849001.0000000001C80000.00000002.00000001.sdmpBinary or memory string: Progmanlock

                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_004128EA GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,2_2_004128EA
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 2_2_00411469 GetVersionExW,2_2_00411469
                Source: C:\Users\user\Desktop\4bb2HFlPzo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: bdagent.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: avguard.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: avgrsx.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: avp.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: zlclient.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: avgcsrvx.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: avgnt.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: hijackthis.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: avgui.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: mbam.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1486876245.00000000036E0000.00000004.00000001.sdmpBinary or memory string: ComboFix.exe

                Stealing of Sensitive Information:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1482683687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1486913150.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4bb2HFlPzo.exe PID: 3104, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4bb2HFlPzo.exe PID: 5200, type: MEMORY
                Source: Yara matchFile source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, type: UNPACKEDPE
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\key4.dbJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0i8ia8vs.default\places.sqliteJump to behavior
                Yara detected WebBrowserPassView password recovery toolShow sources
                Source: Yara matchFile source: 00000003.00000002.1291830665.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.1066238354.0000000004F92000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1489431895.00000000070D1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1077539020.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1487894037.00000000056E0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1486913150.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4bb2HFlPzo.exe PID: 5200, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1108, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 4036, type: MEMORY
                Source: Yara matchFile source: 2.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4bb2HFlPzo.exe.56e0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.4bb2HFlPzo.exe.56e0000.2.raw.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Detected HawkEye RatShow sources
                Source: 4bb2HFlPzo.exe, 00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
                Source: 4bb2HFlPzo.exe, 00000001.00000002.1482683687.0000000000402000.00000040.00000001.sdmpString found in binary or memory: _Version_Mutex_Delivery_EmailUsername_EmailPassword_EmailServer_EmailPort_EmailSSL_FTPServer_FTPUsername_FTPPassword_FTPPort_FTPSFTP_ProxyURL_ProxySecret_PanelURL_PanelSecret_LogInterval_PasswordStealer_KeyStrokeLogger_ClipboardLogger_ScreenshotLogger_WebCamLogger_SystemInfo_Install_InstallLocation_InstallFolder_InstallFileName_InstallStartup_InstallStartupPersistance_HistoryCleaner_ZoneID_HideFile_MeltFile_Disablers_DisableTaskManager_DisableCommandPrompt_DisableRegEdit_ProcessProtection_ProcessElevation_AntiVirusKiller_BotKiller_AntiDebugger_ExecutionDelay_FakeMessageShow_FakeMessageTitle_FakeMessageText_FakeMessageIcon_WebsiteVisitor_WebsiteVisitorVisible_WebsiteVisitorSites_WebsiteBlocker_WebsiteBlockerSites_FileBinder_FileBinderFiles
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000000.00000002.1069186999.0000000003CB0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1482683687.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1486913150.00000000036F9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4bb2HFlPzo.exe PID: 3104, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 4bb2HFlPzo.exe PID: 5200, type: MEMORY
                Source: Yara matchFile source: 1.2.4bb2HFlPzo.exe.400000.0.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation111Winlogon Helper DLLAccess Token Manipulation1Masquerading1Credential Dumping1System Time Discovery1Application Deployment SoftwareData from Local System1Data Encrypted11Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Replication Through Removable MediaExecution through API11Port MonitorsProcess Injection212Software Packing3Network SniffingVirtualization/Sandbox Evasion13Remote ServicesClipboard Data2Exfiltration Over Other Network MediumRemote Access Tools1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                External Remote ServicesExecution through Module Load1Accessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureProcess Discovery4Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion13Credentials in FilesSecurity Software Discovery23Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
                Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessAccess Token Manipulation1Account ManipulationSystem Network Configuration Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceTimestomp1Brute ForceFile and Directory Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
                Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection212Two-Factor Authentication InterceptionSystem Information Discovery18Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDeobfuscate/Decode Files or Information11Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessObfuscated Files or Information3Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet