Loading ...

Play interactive tourEdit tour

Analysis Report O7292020987725545.PDF.exe

Overview

General Information

Sample Name:O7292020987725545.PDF.exe
Analysis ID:252901
MD5:ea1fd15ccebbaf20b2d2c20e59289e2c
SHA1:6c6fa518ea45ecefb182e7906aad81fc77b8bb4f
SHA256:814a5dc8dbe791a8e554c6823eedb3b4e9bfcd1006901df2f3468f71d1dd8437

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • O7292020987725545.PDF.exe (PID: 6716 cmdline: 'C:\Users\user\Desktop\O7292020987725545.PDF.exe' MD5: EA1FD15CCEBBAF20B2D2C20E59289E2C)
    • O7292020987725545.PDF.exe (PID: 6924 cmdline: {path} MD5: EA1FD15CCEBBAF20B2D2C20E59289E2C)
      • vbc.exe (PID: 5908 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 60 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • wuapihost.exe (PID: 4112 cmdline: C:\Windows\System32\wuapihost.exe -Embedding MD5: 85C9C161B102A164EC09A23CACDDD09E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
O7292020987725545.PDF.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x1e436:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.244463172.0000000000D62000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x1e236:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000002.00000000.242691308.00000000007C2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x1e236:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000007.00000002.276507041.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x7b719:$key: HawkEyeKeylogger
    • 0x7d917:$salt: 099u787978786
    • 0x7bd32:$string1: HawkEye_Keylogger
    • 0x7cb85:$string1: HawkEye_Keylogger
    • 0x7d877:$string1: HawkEye_Keylogger
    • 0x7c11b:$string2: holdermail.txt
    • 0x7c13b:$string2: holdermail.txt
    • 0x7c05d:$string3: wallet.dat
    • 0x7c075:$string3: wallet.dat
    • 0x7c08b:$string3: wallet.dat
    • 0x7d459:$string4: Keylog Records
    • 0x7d771:$string4: Keylog Records
    • 0x7d96f:$string5: do not script -->
    • 0x7b701:$string6: \pidloc.txt
    • 0x7b767:$string7: BSPLIT
    • 0x7b777:$string7: BSPLIT
    00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0.2.O7292020987725545.PDF.exe.d60000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0x1e436:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        2.0.O7292020987725545.PDF.exe.7c0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0x1e436:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        2.2.O7292020987725545.PDF.exe.7c0000.1.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0x1e436:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        0.0.O7292020987725545.PDF.exe.d60000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
        • 0x1e436:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\O7292020987725545.PDF.exe, NewProcessName: C:\Users\user\Desktop\O7292020987725545.PDF.exe, OriginalFileName: C:\Users\user\Desktop\O7292020987725545.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\O7292020987725545.PDF.exe' , ParentImage: C:\Users\user\Desktop\O7292020987725545.PDF.exe, ParentProcessId: 6716, ProcessCommandLine: {path}, ProcessId: 6924
        Sigma detected: Suspicious Process CreationShow sources
        Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\O7292020987725545.PDF.exe, ParentProcessId: 6924, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 5908

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: O7292020987725545.PDF.exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: O7292020987725545.PDF.exeVirustotal: Detection: 36%Perma Link
        Source: O7292020987725545.PDF.exeReversingLabs: Detection: 52%
        Machine Learning detection for sampleShow sources
        Source: O7292020987725545.PDF.exeJoe Sandbox ML: detected
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmpBinary or memory string: autorun.inf
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmpBinary or memory string: [autorun]
        Source: O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
        Source: O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00406EC3
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,7_2_00408441
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,7_2_00407E0E
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_0745FE8B
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_0814018F
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]2_2_08140326

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49723 -> 103.27.200.199:21
        Source: global trafficTCP traffic: 192.168.2.4:49724 -> 103.27.200.199:35089
        Source: Joe Sandbox ViewASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH
        Source: unknownFTP traffic detected: 103.27.200.199:21 -> 192.168.2.4:49723 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 14:23. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 14:23. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 14:23. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 9 of 50 allowed.220-Local time is now 14:23. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.276507041.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.276507041.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
        Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
        Source: vbc.exe, 00000007.00000003.276252714.0000000000A6C000.00000004.00000001.sdmpString found in binary or memory: ogle.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
        Source: vbc.exe, 00000007.00000003.276252714.0000000000A6C000.00000004.00000001.sdmpString found in binary or memory: ogle.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
        Source: unknownDNS traffic detected: queries for: 174.109.0.0.in-addr.arpa
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: O7292020987725545.PDF.exe, 00000002.00000002.486472165.0000000002C8F000.00000004.00000001.sdmpString found in binary or memory: http://ftp.triplelink.co.th
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
        Source: O7292020987725545.PDF.exe, 00000002.00000002.485241423.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: vbc.exe, vbc.exe, 00000007.00000002.276507041.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: O7292020987725545.PDF.exe, 00000002.00000002.485241423.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
        Source: O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: O7292020987725545.PDF.exe, 00000000.00000002.265057342.0000000007242000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.492346533.0000000005E50000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: vbc.exe, 00000007.00000003.276290183.0000000000A6B000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
        Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
        Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Contains functionality to log keystrokes (.Net Source)Show sources
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,6_2_0040AC8A

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Source: 00000002.00000002.485241423.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: O7292020987725545.PDF.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,7_2_00408836
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D622430_2_00D62243
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D65BBD0_2_00D65BBD
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_0158C2340_2_0158C234
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_0158E8500_2_0158E850
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_0158E8400_2_0158E840
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B6F780_2_079B6F78
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B5F680_2_079B5F68
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B86580_2_079B8658
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B4DF00_2_079B4DF0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B6AD00_2_079B6AD0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B81F80_2_079B81F8
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079BA9480_2_079BA948
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B17300_2_079B1730
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B17200_2_079B1720
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B5F580_2_079B5F58
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B6F680_2_079B6F68
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B0ED80_2_079B0ED8
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B0EE80_2_079B0EE8
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079BA6180_2_079BA618
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079BA6280_2_079BA628
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B564D0_2_079B564D
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B56700_2_079B5670
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B566B0_2_079B566B
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B4DE00_2_079B4DE0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B14D00_2_079B14D0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B14C30_2_079B14C3
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B0C000_2_079B0C00
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B24280_2_079B2428
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B73910_2_079B7391
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079BAB900_2_079BAB90
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079BAB800_2_079BAB80
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B73A00_2_079B73A0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B0BF10_2_079B0BF1
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B23E90_2_079B23E9
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B63500_2_079B6350
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B63430_2_079B6343
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B12900_2_079B1290
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B12800_2_079B1280
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B6ACB0_2_079B6ACB
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B81E80_2_079B81E8
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B19100_2_079B1910
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B19000_2_079B1900
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079BA9380_2_079BA938
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B00070_2_079B0007
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B00400_2_079B0040
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D646CD0_2_00D646CD
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_007C682D2_2_007C682D
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_007C22432_2_007C2243
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_007C5BBD2_2_007C5BBD
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_029AB29C2_2_029AB29C
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_029AC3102_2_029AC310
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_029AB2902_2_029AB290
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_029AB1F22_2_029AB1F2
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_029A99D02_2_029A99D0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_029ADFD02_2_029ADFD0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_0745B4E02_2_0745B4E0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_074500402_2_07450040
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_0745EEC82_2_0745EEC8
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_0745BDB02_2_0745BDB0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_0745B1982_2_0745B198
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_074500062_2_07450006
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_007C46CD2_2_007C46CD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404DDB6_2_00404DDB
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040BD8A6_2_0040BD8A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404E4C6_2_00404E4C
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404EBD6_2_00404EBD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404F4E6_2_00404F4E
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004044197_2_00404419
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004045167_2_00404516
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004135387_2_00413538
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A17_2_004145A1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E6397_2_0040E639
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF7_2_004337AF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B17_2_004399B1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE77_2_0043DAE7
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF67_2_00405CF6
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F857_2_00403F85
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F997_2_00411F99
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
        Source: O7292020987725545.PDF.exe, 00000000.00000002.244603766.0000000000E28000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWRxFH.exe4 vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000000.00000002.252094625.000000000372C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000000.00000002.266220121.00000000079F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000002.00000002.483288136.0000000000888000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWRxFH.exe4 vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, 00000002.00000002.482852576.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exeBinary or memory string: OriginalFilenameWRxFH.exe4 vs O7292020987725545.PDF.exe
        Source: O7292020987725545.PDF.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000000.00000002.244463172.0000000000D62000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000002.00000000.242691308.00000000007C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
        Source: 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: 00000002.00000002.482905524.00000000007C2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000002.00000002.485241423.0000000002B21000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000000.217014538.0000000000D62000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
        Source: 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: Process Memory Space: O7292020987725545.PDF.exe PID: 6716, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: Process Memory Space: O7292020987725545.PDF.exe PID: 6924, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 0.2.O7292020987725545.PDF.exe.d60000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 2.0.O7292020987725545.PDF.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 2.2.O7292020987725545.PDF.exe.7c0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 0.0.O7292020987725545.PDF.exe.d60000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
        Source: O7292020987725545.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.csBase64 encoded string: 'xZv2KTjDOGwMPewlL06/2/+cBh+3YNzZLNYqWwxyouAodILYLJV9xZ9CGhDaO0jH', 'G9O9EXxYbTKbu/JIqZ4FXWAEsGCT7RJ+/SHmPiE44HoRMOAUDNTRY4dL0xxXj+PX', 'yFzOCZnSHgqZgbtRiX7zTTL1Qt6D+8cCFAWN8MP9eKKls7OaJo1TF2n4j++JkQX9', 'LeVgD+CCM8vGOvvCfBCbKlOuO22U5biiPlXQ3m1iV5wOttbrqIGRlRjJtF3s2yy7JUW0Ja5O8CmF3VvxZqreIg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
        Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@8/4@5/2
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,7_2_00415AFD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,7_2_00415F87
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,7_2_00411196
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,6_2_0040ED0B
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\O7292020987725545.PDF.exe.logJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
        Source: O7292020987725545.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.276507041.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
        Source: O7292020987725545.PDF.exeVirustotal: Detection: 36%
        Source: O7292020987725545.PDF.exeReversingLabs: Detection: 52%
        Source: unknownProcess created: C:\Users\user\Desktop\O7292020987725545.PDF.exe 'C:\Users\user\Desktop\O7292020987725545.PDF.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\O7292020987725545.PDF.exe {path}
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
        Source: unknownProcess created: C:\Windows\System32\wuapihost.exe C:\Windows\System32\wuapihost.exe -Embedding
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess created: C:\Users\user\Desktop\O7292020987725545.PDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
        Source: O7292020987725545.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: O7292020987725545.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp
        Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exe
        Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: O7292020987725545.PDF.exe, 00000000.00000002.259882755.000000000427D000.00000004.00000001.sdmp, O7292020987725545.PDF.exe, 00000002.00000002.482201873.0000000000402000.00000040.00000001.sdmp, vbc.exe

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.O7292020987725545.PDF.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,6_2_00404837
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D6CCF7 push es; iretd 0_2_00D6CED6
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D680ED push FFFFFF9Dh; retf 0_2_00D68130
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D6E4B5 push dword ptr [eax-35004F4Fh]; retf 0_2_00D6E4BC
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D681DB pushfd ; retf 0_2_00D68209
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D68199 pushfd ; retf 0_2_00D6819C
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D681AE pushfd ; retf 0_2_00D681DA
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D68131 push FFFFFF9Dh; retf 0_2_00D68130
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D682E5 pushfd ; retf 0_2_00D682E4
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D6E286 push dword ptr [eax-3C005356h]; ret 0_2_00D6E290
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D68280 pushfd ; retf 0_2_00D682BC
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D682BD pushfd ; retf 0_2_00D682E4
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D6820A pushfd ; retf 0_2_00D68209
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D6820A pushfd ; retf 0_2_00D68255
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_00D6F715 push edi; ret 0_2_00D6F7E0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_0158F630 pushfd ; iretd 0_2_0158F639
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B27F9 pushad ; ret 0_2_079B27FA
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B1B0E push ss; retf 0_2_079B1B10
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B1B35 push ss; retf 0_2_079B1B36
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B2297 push cs; retf 0_2_079B2298
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B22B1 push cs; retf 0_2_079B22B2
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B22DE push cs; retf 0_2_079B22E0
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B1AC3 push ss; retf 0_2_079B1AC4
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B22C5 push cs; retf 0_2_079B22C6
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B1AE5 push ss; retf 0_2_079B1AE7
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B2A49 push es; retf 0_2_079B2A4B
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B227D push cs; retf 0_2_079B227E
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 0_2_079B2A64 push es; retf 0_2_079B2A65
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_007CCCF7 push es; iretd 2_2_007CCED6
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_007C80ED push FFFFFF9Dh; retf 2_2_007C8130
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_007CE4B5 push dword ptr [eax-35004F4Fh]; retf 2_2_007CE4BC
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeCode function: 2_2_007C8131 push FFFFFF9Dh; retf 2_2_007C8130
        Source: initial sampleStatic PE information: section name: .text entropy: 7.84863773348

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Changes the view of files in windows explorer (hidden files and folders)Show sources
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
        Uses an obfuscated file name to hide its real file extension (double extension)Show sources
        Source: Possible double extension: pdf.exeStatic PE information: O7292020987725545.PDF.exe
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_0040F64B
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\O7292020987725545.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior