Loading ...

Play interactive tourEdit tour

Analysis Report PO-1151.scr

Overview

General Information

Sample Name:PO-1151.scr (renamed file extension from scr to exe)
Analysis ID:252782
MD5:e10e52b1b63ab576d01720563cbc3e1e
SHA1:c94588afb551c9f0350f6c9ccbe1696244b61a89
SHA256:a72abccbb65d45e50e2bdac6fbfcc3832af2be5e8bb2c20904674b8e59fc667c

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
May check the online IP address of the machine
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO-1151.exe (PID: 6472 cmdline: 'C:\Users\user\Desktop\PO-1151.exe' MD5: E10E52B1B63AB576D01720563CBC3E1E)
    • schtasks.exe (PID: 3804 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp11D0.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO-1151.exe (PID: 4780 cmdline: {path} MD5: E10E52B1B63AB576D01720563CBC3E1E)
    • PO-1151.exe (PID: 4616 cmdline: {path} MD5: E10E52B1B63AB576D01720563CBC3E1E)
      • vbc.exe (PID: 5704 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 3744 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • dw20.exe (PID: 6792 cmdline: dw20.exe -x -s 1652 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • svchost.exe (PID: 5704 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PO-1151.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x195b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\&startupname&.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x195b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.236413761.00000000003E2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x193b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000004.00000000.237471698.0000000000D42000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x193b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000000.223185729.0000000000522000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x193b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000007.00000002.270225413.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x202969:$key: HawkEyeKeylogger
    • 0x284989:$key: HawkEyeKeylogger
    • 0x204b7d:$salt: 099u787978786
    • 0x286b9d:$salt: 099u787978786
    • 0x202f98:$string1: HawkEye_Keylogger
    • 0x203deb:$string1: HawkEye_Keylogger
    • 0x204add:$string1: HawkEye_Keylogger
    • 0x284fb8:$string1: HawkEye_Keylogger
    • 0x285e0b:$string1: HawkEye_Keylogger
    • 0x286afd:$string1: HawkEye_Keylogger
    • 0x203381:$string2: holdermail.txt
    • 0x2033a1:$string2: holdermail.txt
    • 0x2853a1:$string2: holdermail.txt
    • 0x2853c1:$string2: holdermail.txt
    • 0x2032c3:$string3: wallet.dat
    • 0x2032db:$string3: wallet.dat
    • 0x2032f1:$string3: wallet.dat
    • 0x2852e3:$string3: wallet.dat
    • 0x2852fb:$string3: wallet.dat
    • 0x285311:$string3: wallet.dat
    • 0x2046bf:$string4: Keylog Records
    Click to see the 22 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.PO-1151.exe.d40000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x195b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    4.0.PO-1151.exe.d40000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x195b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.2.PO-1151.exe.520000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x195b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.0.PO-1151.exe.520000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x195b1:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    7.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp11D0.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp11D0.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO-1151.exe' , ParentImage: C:\Users\user\Desktop\PO-1151.exe, ParentProcessId: 6472, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp11D0.tmp', ProcessId: 3804
      Sigma detected: Suspicious Svchost ProcessShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\PO-1151.exe, ParentProcessId: 4616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ProcessId: 5704
      Sigma detected: Suspicious Process CreationShow sources
      Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\PO-1151.exe, ParentProcessId: 4616, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 5704
      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\PO-1151.exe, ParentProcessId: 4616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ProcessId: 5704

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\&startupname&.exeVirustotal: Detection: 18%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\&startupname&.exeReversingLabs: Detection: 22%
      Multi AV Scanner detection for submitted fileShow sources
      Source: PO-1151.exeReversingLabs: Detection: 22%
      Source: 4.2.PO-1151.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
      Source: 4.2.PO-1151.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmpBinary or memory string: autorun.inf
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
      Source: PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
      Source: PO-1151.exe, 00000004.00000002.282088758.00000000033B1000.00000004.00000001.sdmpBinary or memory string: [autorun]
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00406EC3
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_055D9D50
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_055D5B70
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then call 055D1B20h4_2_055D8018
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_055D8018
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_055D6038
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then mov esp, ebp4_2_055D482F
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_055D0728
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_055D14C0
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_055D17F8
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_055D9EE7
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then jmp 055D1A73h4_2_055D19B0
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4x nop then jmp 055D1A73h4_2_055D19A0

      Networking:

      barindex
      May check the online IP address of the machineShow sources
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: unknownDNS query: name: whatismyipaddress.com
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
      Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_014FA09A recv,4_2_014FA09A
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
      Source: unknownDNS traffic detected: queries for: 75.103.13.0.in-addr.arpa
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: PO-1151.exe, 00000004.00000002.280832649.0000000001520000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
      Source: PO-1151.exe, 00000004.00000002.280832649.0000000001520000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
      Source: PO-1151.exe, 00000004.00000002.282088758.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
      Source: PO-1151.exe, 00000004.00000002.282088758.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: PO-1151.exe, 00000004.00000003.279648239.0000000005AB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: PO-1151.exe, 00000004.00000003.279648239.0000000005AB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcem
      Source: PO-1151.exe, 00000004.00000003.279648239.0000000005AB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
      Source: PO-1151.exe, 00000004.00000003.279648239.0000000005AB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comttcu
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: PO-1151.exe, 00000004.00000003.242430115.0000000005AC3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000003.244990023.0000000005AB9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: PO-1151.exe, 00000004.00000003.245165040.0000000005AB3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0
      Source: PO-1151.exe, 00000004.00000003.245165040.0000000005AB3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G$
      Source: PO-1151.exe, 00000004.00000003.245165040.0000000005AB3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N$
      Source: PO-1151.exe, 00000004.00000003.245165040.0000000005AB3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q$
      Source: PO-1151.exe, 00000004.00000003.245165040.0000000005AB3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: PO-1151.exe, 00000004.00000003.245165040.0000000005AB3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: PO-1151.exe, 00000004.00000003.244990023.0000000005AB9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q$
      Source: PO-1151.exe, 00000004.00000003.244789449.0000000005AB3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s
      Source: PO-1151.exe, 00000004.00000003.245165040.0000000005AB3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
      Source: PO-1151.exe, 00000004.00000003.248695938.0000000005AF1000.00000004.00000001.sdmpString found in binary or memory: http://www.monot.l
      Source: PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmp, vbc.exe, vbc.exe, 00000007.00000002.270225413.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: PO-1151.exe, 00000004.00000002.282088758.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: PO-1151.exe, 00000004.00000002.289090631.0000000006D62000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: PO-1151.exe, 00000004.00000002.282088758.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
      Source: PO-1151.exe, 00000004.00000002.282088758.00000000033B1000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.comx&
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Contains functionality to log keystrokes (.Net Source)Show sources
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,7_2_0040AC8A
      Source: PO-1151.exe, 00000000.00000002.238858149.0000000000D30000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.282088758.00000000033B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: 4.2.PO-1151.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.PO-1151.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_00CEB2CE NtQuerySystemInformation,0_2_00CEB2CE
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_00CEB293 NtQuerySystemInformation,0_2_00CEB293
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_05655D36 NtWriteVirtualMemory,4_2_05655D36
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_05655BE6 NtQuerySystemInformation,4_2_05655BE6
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_05655C8E NtResumeThread,4_2_05655C8E
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_05655D09 NtWriteVirtualMemory,4_2_05655D09
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_05655BA2 NtQuerySystemInformation,4_2_05655BA2
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_00526A4A0_2_00526A4A
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_0052A7490_2_0052A749
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_01070D180_2_01070D18
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_01072A840_2_01072A84
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_01070FE00_2_01070FE0
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_01070FF00_2_01070FF0
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_010700060_2_01070006
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_01070A580_2_01070A58
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_010700700_2_01070070
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC28CF0_2_04DC28CF
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC68E80_2_04DC68E8
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC15C00_2_04DC15C0
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC51FF0_2_04DC51FF
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC49E80_2_04DC49E8
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC2D670_2_04DC2D67
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC3EEF0_2_04DC3EEF
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DCDB580_2_04DCDB58
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DCE7780_2_04DCE778
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC5B1F0_2_04DC5B1F
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC03200_2_04DC0320
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC6CC00_2_04DC6CC0
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC680F0_2_04DC680F
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC75D80_2_04DC75D8
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DCBDC80_2_04DCBDC8
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DCC9F00_2_04DCC9F0
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC75E80_2_04DC75E8
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC49E40_2_04DC49E4
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC85880_2_04DC8588
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC954F0_2_04DC954F
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC89780_2_04DC8978
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC85780_2_04DC8578
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC89770_2_04DC8977
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC09360_2_04DC0936
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC56580_2_04DC5658
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC16680_2_04DC1668
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC03D20_2_04DC03D2
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DCF3C80_2_04DCF3C8
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DCC3980_2_04DCC398
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC87400_2_04DC8740
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC8B080_2_04DC8B08
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC6F080_2_04DC6F08
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DCE3380_2_04DCE338
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC87380_2_04DC8738
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 3_2_003E6A4A3_2_003E6A4A
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 3_2_003EA7493_2_003EA749
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_00D4A7494_2_00D4A749
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_00D46A4A4_2_00D46A4A
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_055D57584_2_055D5758
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_055D60484_2_055D6048
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_055D7CC04_2_055D7CC0
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_055D1DA84_2_055D1DA8
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_055D80184_2_055D8018
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_055D70984_2_055D7098
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_055D1D984_2_055D1D98
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_055D70884_2_055D7088
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404DDB7_2_00404DDB
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040BD8A7_2_0040BD8A
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404E4C7_2_00404E4C
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404EBD7_2_00404EBD
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404F4E7_2_00404F4E
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 176
      Source: PO-1151.exe, 00000000.00000002.239868089.0000000002CE2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.238391597.00000000005FA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuFZeo.exe4 vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.245208274.00000000053F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.245658276.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.244710842.0000000004E80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.245182386.00000000053D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.245182386.00000000053D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.238858149.0000000000D30000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs PO-1151.exe
      Source: PO-1151.exe, 00000000.00000002.244511377.0000000004E20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO-1151.exe
      Source: PO-1151.exe, 00000003.00000000.236554525.00000000004BA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuFZeo.exe4 vs PO-1151.exe
      Source: PO-1151.exe, 00000004.00000002.285255808.00000000056F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO-1151.exe
      Source: PO-1151.exe, 00000004.00000002.279989170.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PO-1151.exe
      Source: PO-1151.exe, 00000004.00000002.289416285.0000000007630000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO-1151.exe
      Source: PO-1151.exe, 00000004.00000002.289586946.0000000007C50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO-1151.exe
      Source: PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO-1151.exe
      Source: PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO-1151.exe
      Source: PO-1151.exe, 00000004.00000002.280832649.0000000001520000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs PO-1151.exe
      Source: PO-1151.exe, 00000004.00000000.237587807.0000000000E1A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuFZeo.exe4 vs PO-1151.exe
      Source: PO-1151.exeBinary or memory string: OriginalFilenameuFZeo.exe4 vs PO-1151.exe
      Source: C:\Users\user\Desktop\PO-1151.exeSection loaded: security.dllJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: phoneinfo.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
      Source: PO-1151.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000003.00000000.236413761.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000004.00000000.237471698.0000000000D42000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000000.223185729.0000000000522000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.280004902.0000000000D42000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000000.00000002.238276485.0000000000522000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.282088758.00000000033B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.236682137.00000000003E2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: PO-1151.exe PID: 6472, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: PO-1151.exe PID: 4616, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: Process Memory Space: PO-1151.exe PID: 4780, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: C:\Users\user\AppData\Local\Temp\&startupname&.exe, type: DROPPEDMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.2.PO-1151.exe.d40000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.0.PO-1151.exe.d40000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.2.PO-1151.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 0.0.PO-1151.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 4.2.PO-1151.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
      Source: 4.2.PO-1151.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
      Source: 3.2.PO-1151.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: 3.0.PO-1151.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
      Source: PO-1151.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: &startupname&.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.csBase64 encoded string: 'WFIVsMc4kcNFzOPOL5hMnllIraNl0011fAOpOYt0S6dK698CFPaC9uQYyyAQo9kb0KF1ETFrF/U5l/tSvvdcJQ==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
      Source: PO-1151.exe, 00000004.00000003.279648239.0000000005AB0000.00000004.00000001.sdmpBinary or memory string: Trademark of Monotype Typography ltd registered in the US Pat & TM.and elsewhere.slnt
      Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@16/13@4/2
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_00CEAD1A AdjustTokenPrivileges,0_2_00CEAD1A
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_00CEACE3 AdjustTokenPrivileges,0_2_00CEACE3
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_0565404A AdjustTokenPrivileges,4_2_0565404A
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_05654013 AdjustTokenPrivileges,4_2_05654013
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,7_2_0040ED0B
      Source: C:\Users\user\Desktop\PO-1151.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO-1151.exe.logJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_01
      Source: C:\Users\user\Desktop\PO-1151.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3744
      Source: C:\Users\user\Desktop\PO-1151.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to behavior
      Source: PO-1151.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PO-1151.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
      Source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
      Source: PO-1151.exeReversingLabs: Detection: 22%
      Source: C:\Users\user\Desktop\PO-1151.exeFile read: C:\Users\user\Desktop\PO-1151.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PO-1151.exe 'C:\Users\user\Desktop\PO-1151.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp11D0.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\PO-1151.exe {path}
      Source: unknownProcess created: C:\Users\user\Desktop\PO-1151.exe {path}
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 176
      Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1652
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: C:\Users\user\Desktop\PO-1151.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp11D0.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeProcess created: C:\Users\user\Desktop\PO-1151.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeProcess created: C:\Users\user\Desktop\PO-1151.exe {path}Jump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1652Jump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
      Source: PO-1151.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\PO-1151.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: PO-1151.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.289416285.0000000007630000.00000004.00000001.sdmp
      Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmp, vbc.exe
      Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PO-1151.exe, 00000000.00000002.242652681.0000000003CE7000.00000004.00000001.sdmp, PO-1151.exe, 00000004.00000002.279935532.0000000000402000.00000040.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: PO-1151.exe, 00000000.00000002.244511377.0000000004E20000.00000002.00000001.sdmp, PO-1151.exe, 00000004.00000002.285255808.00000000056F0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.PO-1151.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,7_2_00403C3D
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_01071452 pushfd ; iretd 0_2_01071453
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC11E9 push 3E480108h; iretd 0_2_04DC122E
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC9ABF push esi; retf 0_2_04DC9AC1
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 0_2_04DC43D0 push FFFFFFABh; iretd 0_2_04DC43D2
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_01507F90 push eax; ret 4_2_01507F95
      Source: C:\Users\user\Desktop\PO-1151.exeCode function: 4_2_01507EF4 push eax; ret 4_2_01507EF5
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411879 push ecx; ret 7_2_00411889
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004118A0 push eax; ret 7_2_004118B4
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004118A0 push eax; ret 7_2_004118DC
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83804189151
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83804189151
      Source: C:\Users\user\Desktop\PO-1151.exeFile created: C:\Users\user\AppData\Local\Temp\&startupname&.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmp11D0.tmp'

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Changes the view of files in windows explorer (hidden files and folders)Show sources
      Source: C:\Users\user\Desktop\PO-1151.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_0040F64B
      Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
      Source: C:\Users\user\Desktop\PO-1151.exeProcess information set: NOOPENFILEERRORBOX