Loading ...

Play interactive tourEdit tour

Analysis Report company certificate.bat

Overview

General Information

Sample Name:company certificate.bat (renamed file extension from bat to exe)
Analysis ID:294458
MD5:75d686fb0d5ee29d13d5e687a2f430a7
SHA1:8209f650199322969c94d1aa344cb679fbc1b3f3
SHA256:5b6d91f53d20710a4d859832ea83120f55ab02ed666da4685857fa93a5403cf9
Tags:batHawkEyeYahoo

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • company certificate.exe (PID: 6972 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 75D686FB0D5EE29D13D5E687A2F430A7)
    • timeout.exe (PID: 6996 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 4644 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: 75D686FB0D5EE29D13D5E687A2F430A7)
      • WerFault.exe (PID: 2584 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 2024 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1840 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • company certificate.exe (PID: 6444 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 75D686FB0D5EE29D13D5E687A2F430A7)
    • timeout.exe (PID: 6436 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 6152 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: 75D686FB0D5EE29D13D5E687A2F430A7)
      • WerFault.exe (PID: 3088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6152 -s 1248 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4720 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1676 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • company certificate.exe (PID: 4868 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 75D686FB0D5EE29D13D5E687A2F430A7)
    • timeout.exe (PID: 6008 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 7032 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: 75D686FB0D5EE29D13D5E687A2F430A7)
    • WerFault.exe (PID: 5352 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 960 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • company certificate.exe (PID: 488 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 75D686FB0D5EE29D13D5E687A2F430A7)
    • timeout.exe (PID: 2296 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 6856 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: 75D686FB0D5EE29D13D5E687A2F430A7)
    • timeout.exe (PID: 5508 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7c38e:$key: HawkEyeKeylogger
  • 0x108656:$key: HawkEyeKeylogger
  • 0x7e5d2:$salt: 099u787978786
  • 0x10a89a:$salt: 099u787978786
  • 0x7c9cf:$string1: HawkEye_Keylogger
  • 0x7d822:$string1: HawkEye_Keylogger
  • 0x7e532:$string1: HawkEye_Keylogger
  • 0x108c97:$string1: HawkEye_Keylogger
  • 0x109aea:$string1: HawkEye_Keylogger
  • 0x10a7fa:$string1: HawkEye_Keylogger
  • 0x7cdb8:$string2: holdermail.txt
  • 0x7cdd8:$string2: holdermail.txt
  • 0x109080:$string2: holdermail.txt
  • 0x1090a0:$string2: holdermail.txt
  • 0x7ccfa:$string3: wallet.dat
  • 0x7cd12:$string3: wallet.dat
  • 0x7cd28:$string3: wallet.dat
  • 0x108fc2:$string3: wallet.dat
  • 0x108fda:$string3: wallet.dat
  • 0x108ff0:$string3: wallet.dat
  • 0x7e0f6:$string4: Keylog Records
00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7ca27:$hawkstr1: HawkEye Keylogger
        • 0x7d868:$hawkstr1: HawkEye Keylogger
        • 0x7db97:$hawkstr1: HawkEye Keylogger
        • 0x7dcf2:$hawkstr1: HawkEye Keylogger
        • 0x7de55:$hawkstr1: HawkEye Keylogger
        • 0x7e0ce:$hawkstr1: HawkEye Keylogger
        • 0x108cef:$hawkstr1: HawkEye Keylogger
        • 0x109b30:$hawkstr1: HawkEye Keylogger
        • 0x109e5f:$hawkstr1: HawkEye Keylogger
        • 0x109fba:$hawkstr1: HawkEye Keylogger
        • 0x10a11d:$hawkstr1: HawkEye Keylogger
        • 0x10a396:$hawkstr1: HawkEye Keylogger
        • 0x7c5b5:$hawkstr2: Dear HawkEye Customers!
        • 0x7dbea:$hawkstr2: Dear HawkEye Customers!
        • 0x7dd41:$hawkstr2: Dear HawkEye Customers!
        • 0x7dea8:$hawkstr2: Dear HawkEye Customers!
        • 0x10887d:$hawkstr2: Dear HawkEye Customers!
        • 0x109eb2:$hawkstr2: Dear HawkEye Customers!
        • 0x10a009:$hawkstr2: Dear HawkEye Customers!
        • 0x10a170:$hawkstr2: Dear HawkEye Customers!
        • 0x7c6d6:$hawkstr3: HawkEye Logger Details:
        Click to see the 66 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.company certificate.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8ce:$key: HawkEyeKeylogger
        • 0x7db12:$salt: 099u787978786
        • 0x7bf0f:$string1: HawkEye_Keylogger
        • 0x7cd62:$string1: HawkEye_Keylogger
        • 0x7da72:$string1: HawkEye_Keylogger
        • 0x7c2f8:$string2: holdermail.txt
        • 0x7c318:$string2: holdermail.txt
        • 0x7c23a:$string3: wallet.dat
        • 0x7c252:$string3: wallet.dat
        • 0x7c268:$string3: wallet.dat
        • 0x7d636:$string4: Keylog Records
        • 0x7d94e:$string4: Keylog Records
        • 0x7db6a:$string5: do not script -->
        • 0x7b8b6:$string6: \pidloc.txt
        • 0x7b944:$string7: BSPLIT
        • 0x7b954:$string7: BSPLIT
        3.2.company certificate.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          3.2.company certificate.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            3.2.company certificate.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              3.2.company certificate.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bf67:$hawkstr1: HawkEye Keylogger
              • 0x7cda8:$hawkstr1: HawkEye Keylogger
              • 0x7d0d7:$hawkstr1: HawkEye Keylogger
              • 0x7d232:$hawkstr1: HawkEye Keylogger
              • 0x7d395:$hawkstr1: HawkEye Keylogger
              • 0x7d60e:$hawkstr1: HawkEye Keylogger
              • 0x7baf5:$hawkstr2: Dear HawkEye Customers!
              • 0x7d12a:$hawkstr2: Dear HawkEye Customers!
              • 0x7d281:$hawkstr2: Dear HawkEye Customers!
              • 0x7d3e8:$hawkstr2: Dear HawkEye Customers!
              • 0x7bc16:$hawkstr3: HawkEye Logger Details:
              Click to see the 5 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: company certificate.exe.6444.8.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for submitted fileShow sources
              Source: company certificate.exeVirustotal: Detection: 8%Perma Link
              Source: 3.2.company certificate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 3.2.company certificate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 23.2.company certificate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 23.2.company certificate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: [autorun]

              Networking:

              barindex
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
              Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: pastebin.com
              Source: company certificate.exe, 00000000.00000002.261344677.000000000127F000.00000004.00000020.sdmp, company certificate.exe, 00000008.00000002.325771817.0000000003493000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349270575.0000000002F33000.00000004.00000001.sdmp, company certificate.exe, 00000019.00000002.354417581.0000000002BC3000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: company certificate.exe, 00000000.00000003.241078670.0000000001337000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: company certificate.exe, 00000000.00000003.241078670.0000000001337000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: company certificate.exe, 00000000.00000002.261344677.000000000127F000.00000004.00000020.sdmp, company certificate.exe, 00000008.00000002.325771817.0000000003493000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349270575.0000000002F33000.00000004.00000001.sdmp, company certificate.exe, 00000019.00000002.354417581.0000000002BC3000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: company certificate.exe, 00000000.00000003.241078670.0000000001337000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: company certificate.exe, 00000000.00000002.261344677.000000000127F000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: company certificate.exe, 00000000.00000003.241078670.0000000001337000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: company certificate.exe, 00000000.00000002.261344677.000000000127F000.00000004.00000020.sdmp, company certificate.exe, 00000008.00000002.325771817.0000000003493000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349270575.0000000002F33000.00000004.00000001.sdmp, company certificate.exe, 00000019.00000002.354417581.0000000002BC3000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: company certificate.exe, 00000000.00000003.241078670.0000000001337000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: company certificate.exe, 00000000.00000003.241078670.0000000001337000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: company certificate.exe, 00000003.00000003.256200411.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: company certificate.exe, 00000017.00000002.350596553.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/foo
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: company certificate.exe, 00000000.00000002.261344677.000000000127F000.00000004.00000020.sdmp, company certificate.exe, 00000008.00000002.325771817.0000000003493000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349270575.0000000002F33000.00000004.00000001.sdmp, company certificate.exe, 00000019.00000002.354417581.0000000002BC3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: company certificate.exe, 00000000.00000002.261344677.000000000127F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: company certificate.exe, 00000000.00000003.241078670.0000000001337000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: company certificate.exe, 00000000.00000003.241078670.0000000001337000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: company certificate.exe, 00000000.00000002.261878847.00000000031C1000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.304231902.0000000002911000.00000004.00000001.sdmp, company certificate.exe, 00000008.00000002.325039711.0000000003461000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349143727.0000000002F01000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.350596553.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: company certificate.exe, 00000003.00000003.262488034.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: company certificate.exe, 00000003.00000003.256931636.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: company certificate.exe, 00000003.00000003.256931636.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: company certificate.exe, 00000003.00000003.256931636.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
              Source: company certificate.exe, 00000003.00000003.256931636.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comncy
              Source: company certificate.exe, 00000003.00000003.256931636.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsig
              Source: company certificate.exe, 00000003.00000003.265132586.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.261954395.000000000592A000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.263395330.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: company certificate.exe, 00000003.00000003.264283676.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers&
              Source: company certificate.exe, 00000003.00000003.273539157.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers-
              Source: company certificate.exe, 00000003.00000003.261909706.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: company certificate.exe, 00000003.00000003.263316885.000000000592A000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.263248954.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: company certificate.exe, 00000003.00000003.262581910.000000000592A000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: company certificate.exe, 00000003.00000003.262581910.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html)
              Source: company certificate.exe, 00000003.00000003.262581910.000000000592A000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: company certificate.exe, 00000003.00000003.262283670.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: company certificate.exe, 00000003.00000003.273616147.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: company certificate.exe, 00000003.00000003.262283670.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersJ
              Source: company certificate.exe, 00000003.00000003.262283670.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
              Source: company certificate.exe, 00000003.00000003.262581910.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersX
              Source: company certificate.exe, 00000003.00000003.264145343.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
              Source: company certificate.exe, 00000003.00000003.263482446.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
              Source: company certificate.exe, 00000003.00000003.262488034.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com9
              Source: company certificate.exe, 00000003.00000003.265132586.000000000592A000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.262581910.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: company certificate.exe, 00000003.00000003.262581910.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
              Source: company certificate.exe, 00000003.00000003.273831939.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: company certificate.exe, 00000003.00000003.262488034.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaU6
              Source: company certificate.exe, 00000003.00000003.265132586.000000000592A000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.264001260.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
              Source: company certificate.exe, 00000003.00000003.265132586.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: company certificate.exe, 00000003.00000003.263759265.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come
              Source: company certificate.exe, 00000003.00000003.273831939.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
              Source: company certificate.exe, 00000003.00000003.262283670.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
              Source: company certificate.exe, 00000003.00000003.273831939.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionm6
              Source: company certificate.exe, 00000003.00000003.262488034.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.Z6
              Source: company certificate.exe, 00000003.00000003.262283670.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
              Source: company certificate.exe, 00000003.00000003.261909706.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comonye
              Source: company certificate.exe, 00000003.00000003.265132586.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiva
              Source: company certificate.exe, 00000003.00000003.265132586.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: company certificate.exe, 00000003.00000003.256183737.0000000005925000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: company certificate.exe, 00000003.00000003.257130262.0000000005928000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.257949495.0000000005934000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnon
              Source: company certificate.exe, 00000003.00000003.256183737.0000000005925000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnq
              Source: company certificate.exe, 00000003.00000003.267005912.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: company certificate.exe, 00000003.00000003.267005912.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/S
              Source: company certificate.exe, 00000003.00000003.267339727.0000000005947000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: company certificate.exe, 00000003.00000003.251790543.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krE0
              Source: company certificate.exe, 00000003.00000003.260316003.0000000005928000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.260121937.0000000005925000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.258406902.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: company certificate.exe, 00000003.00000003.260278691.0000000005925000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
              Source: company certificate.exe, 00000003.00000003.260316003.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U6
              Source: company certificate.exe, 00000003.00000003.260316003.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-r
              Source: company certificate.exe, 00000003.00000003.260316003.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a:
              Source: company certificate.exe, 00000003.00000003.259252166.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/b5G
              Source: company certificate.exe, 00000003.00000003.260316003.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: company certificate.exe, 00000003.00000003.259252166.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6
              Source: company certificate.exe, 00000003.00000003.260316003.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C6
              Source: company certificate.exe, 00000003.00000003.260316003.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/b5G
              Source: company certificate.exe, 00000003.00000003.260316003.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k5N
              Source: company certificate.exe, 00000003.00000003.261463237.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
              Source: company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: company certificate.exe, 00000003.00000003.250771175.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krlu
              Source: company certificate.exe, 00000003.00000003.249672189.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krnot
              Source: company certificate.exe, 00000003.00000002.304289347.000000000297B000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: company certificate.exe, 00000003.00000003.257654016.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
              Source: company certificate.exe, 00000003.00000003.257654016.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: company certificate.exe, 00000003.00000003.264728150.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
              Source: company certificate.exe, 00000003.00000003.264507660.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: company certificate.exe, 00000003.00000003.261860218.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dei
              Source: company certificate.exe, 00000003.00000003.264614517.000000000592A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dev
              Source: company certificate.exe, 00000003.00000002.309372608.0000000006C02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: company certificate.exe, 00000000.00000002.261878847.00000000031C1000.00000004.00000001.sdmp, company certificate.exe, 00000008.00000002.325039711.0000000003461000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349143727.0000000002F01000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com
              Source: company certificate.exe, 00000000.00000002.261878847.00000000031C1000.00000004.00000001.sdmp, company certificate.exe, 00000008.00000002.325039711.0000000003461000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349143727.0000000002F01000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/Hz88rB8R
              Source: company certificate.exe, 00000000.00000002.263876048.00000000041C9000.00000004.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/W63zsRav
              Source: company certificate.exe, 00000000.00000002.261878847.00000000031C1000.00000004.00000001.sdmp, company certificate.exe, 00000008.00000002.325039711.0000000003461000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349143727.0000000002F01000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/zLYfx8Ad
              Source: company certificate.exe, 00000000.00000002.261923547.00000000031F3000.00000004.00000001.sdmp, company certificate.exe, 00000000.00000002.261944152.000000000320A000.00000004.00000001.sdmp, company certificate.exe, 00000008.00000002.325980501.00000000034AA000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349326969.0000000002F4A000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349270575.0000000002F33000.00000004.00000001.sdmp, company certificate.exe, 00000019.00000002.354510604.0000000002BDA000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: company certificate.exe, 00000000.00000002.261344677.000000000127F000.00000004.00000020.sdmp, company certificate.exe, 00000008.00000002.325771817.0000000003493000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.349270575.0000000002F33000.00000004.00000001.sdmp, company certificate.exe, 00000019.00000002.354417581.0000000002BC3000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000023.00000002.344967709.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.353622215.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.304541206.0000000002BBA000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.304522084.0000000002BAA000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.263876048.00000000041C9000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: company certificate.exe PID: 6444, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: company certificate.exe PID: 6972, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: company certificate.exe PID: 6152, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: company certificate.exe PID: 4644, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: company certificate.exe PID: 488, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: company certificate.exe PID: 4868, type: MEMORY
              Source: Yara matchFile source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\company certificate.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: company certificate.exe, 00000000.00000002.261247605.0000000001248000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\company certificate.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000023.00000002.344967709.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000023.00000002.344967709.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000D.00000002.353622215.00000000041BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000D.00000002.353622215.00000000041BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.304522084.0000000002BAA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.263876048.00000000041C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.263876048.00000000041C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 0_2_0578FCA8 NtSetInformationThread,0_2_0578FCA8
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 8_2_059DFCA8 NtSetInformationThread,8_2_059DFCA8
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 8_2_059DFD52 NtSetInformationThread,8_2_059DFD52
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 0_2_057897000_2_05789700
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 0_2_057861980_2_05786198
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 0_2_057858C80_2_057858C8
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 0_2_057855800_2_05785580
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0109B29C3_2_0109B29C
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0109C3103_2_0109C310
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_010999D03_2_010999D0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0109DFD03_2_0109DFD0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0760B4E03_2_0760B4E0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0760EEC83_2_0760EEC8
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0760BDB03_2_0760BDB0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 8_2_059D97008_2_059D9700
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 8_2_059D61988_2_059D6198
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 8_2_059D58C88_2_059D58C8
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 8_2_059D55808_2_059D5580
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 8_2_059D0CB78_2_059D0CB7
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_011B729013_2_011B7290
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_011B38D013_2_011B38D0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 13_2_011B38C513_2_011B38C5
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 23_2_0142B29C23_2_0142B29C
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 23_2_0142C31023_2_0142C310
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 23_2_0142B29023_2_0142B290
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 23_2_014299D023_2_014299D0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 23_2_0142DFD023_2_0142DFD0
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1840
              Source: company certificate.exeStatic PE information: invalid certificate
              Source: company certificate.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: company certificate.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.270813523.0000000005600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.261592843.000000000132E000.00000004.00000020.sdmpBinary or memory string: OriginalFilename$B^>(.exe, vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.261247605.0000000001248000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000003.00000000.239813324.0000000000542000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$B^>(.exe, vs company certificate.exe
              Source: company certificate.exe, 00000003.00000002.304610608.0000000002BDA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 00000008.00000000.261449590.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$B^>(.exe, vs company certificate.exe
              Source: company certificate.exe, 00000008.00000002.355160033.00000000058E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000002.360054875.0000000005240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 0000000D.00000000.278627850.0000000000912000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$B^>(.exe, vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.349109003.0000000000A62000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$B^>(.exe, vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.349825384.000000000109A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.353993530.0000000006140000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.353579286.0000000006050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 00000019.00000000.297424192.0000000000872000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$B^>(.exe, vs company certificate.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000023.00000002.344967709.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000023.00000002.344967709.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000D.00000002.353622215.00000000041BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000D.00000002.353622215.00000000041BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.304522084.0000000002BAA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000020.00000002.374035994.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
              Source: 00000008.00000002.350818189.0000000004F11000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
              Source: 00000000.00000002.263876048.00000000041C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.263876048.00000000041C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000D.00000002.356010371.00000000049B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings, score =
              Source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'unzS+pg42vugb6FMOcS69NO7+3YGikCOemKckEqykzUy/t0qEMMoJX39kx48vBTArmXSBHyaz0ya2N0Xwgpoug==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'unzS+pg42vugb6FMOcS69NO7+3YGikCOemKckEqykzUy/t0qEMMoJX39kx48vBTArmXSBHyaz0ya2N0Xwgpoug==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: company certificate.exe, 00000000.00000002.261571739.000000000131B000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
              Source: company certificate.exe, 00000019.00000002.353758557.0000000000F6F000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb~
              Source: company certificate.exe, 00000000.00000002.272208846.0000000006A16000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.349931129.00000000010F1000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@32/16@9/4
              Source: C:\Users\user\Desktop\company certificate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:780:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6972
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6444
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4644
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6673.tmpJump to behavior
              Source: company certificate.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\company certificate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\company certificate.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: company certificate.exe, 00000000.00000002.265720385.000000000447E000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.303049225.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000008.00000002.338551225.0000000004469000.00000004.00000001.sdmp, company certificate.exe, 0000000D.00000002.351635854.0000000003F09000.00000004.00000001.sdmp, company certificate.exe, 00000017.00000002.348799405.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000019.00000002.363531819.0000000004938000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: company certificate.exeVirustotal: Detection: 8%
              Source: C:\Users\user\Desktop\company certificate.exeFile read: C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1840
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 2024
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exe
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 1676
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe 'C:\Users\user\Desktop\company certificate.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exe
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6152 -s 1248
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 960
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4Jump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4Jump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Users\user\Desktop\company certificate.exe C:\Users\user\Desktop\company certificate.exe
              Source: C:\Users\user\Desktop\company certificate.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4