Loading ...

Play interactive tourEdit tour

Analysis Report company certificate.bat

Overview

General Information

Sample Name:company certificate.bat (renamed file extension from bat to exe)
Analysis ID:295276
MD5:e09d2ecf2d84113811490c66fdd49f3c
SHA1:6f5304639920e71a09b1cdb23d73e0d7659fc68f
SHA256:ea56daef74bb7280e915eb22485008a932d9a73345810f0fbf2861285dfb9bbc
Tags:batHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • company certificate.exe (PID: 6680 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • timeout.exe (PID: 6704 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 6772 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: E09D2ECF2D84113811490C66FDD49F3C)
      • WerFault.exe (PID: 6812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6772 -s 1996 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 6860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 836 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • company certificate.exe (PID: 1600 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • timeout.exe (PID: 4564 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 6916 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • WerFault.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1044 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • company certificate.exe (PID: 6840 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • timeout.exe (PID: 5952 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • company certificate.exe (PID: 5584 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • company certificate.exe (PID: 4252 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • company certificate.exe (PID: 1288 cmdline: C:\Users\user\Desktop\company certificate.exe MD5: E09D2ECF2D84113811490C66FDD49F3C)
  • company certificate.exe (PID: 4116 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • timeout.exe (PID: 6420 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 4196 cmdline: 'C:\Users\user\Desktop\company certificate.exe' MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • timeout.exe (PID: 4560 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • company certificate.exe (PID: 4860 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exe' MD5: E09D2ECF2D84113811490C66FDD49F3C)
    • timeout.exe (PID: 6056 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7bcf6:$key: HawkEyeKeylogger
  • 0xfdb16:$key: HawkEyeKeylogger
  • 0x7df3a:$salt: 099u787978786
  • 0xffd5a:$salt: 099u787978786
  • 0x7c337:$string1: HawkEye_Keylogger
  • 0x7d18a:$string1: HawkEye_Keylogger
  • 0x7de9a:$string1: HawkEye_Keylogger
  • 0xfe157:$string1: HawkEye_Keylogger
  • 0xfefaa:$string1: HawkEye_Keylogger
  • 0xffcba:$string1: HawkEye_Keylogger
  • 0x7c720:$string2: holdermail.txt
  • 0x7c740:$string2: holdermail.txt
  • 0xfe540:$string2: holdermail.txt
  • 0xfe560:$string2: holdermail.txt
  • 0x7c662:$string3: wallet.dat
  • 0x7c67a:$string3: wallet.dat
  • 0x7c690:$string3: wallet.dat
  • 0xfe482:$string3: wallet.dat
  • 0xfe49a:$string3: wallet.dat
  • 0xfe4b0:$string3: wallet.dat
  • 0x7da5e:$string4: Keylog Records
00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7c38f:$hawkstr1: HawkEye Keylogger
        • 0x7d1d0:$hawkstr1: HawkEye Keylogger
        • 0x7d4ff:$hawkstr1: HawkEye Keylogger
        • 0x7d65a:$hawkstr1: HawkEye Keylogger
        • 0x7d7bd:$hawkstr1: HawkEye Keylogger
        • 0x7da36:$hawkstr1: HawkEye Keylogger
        • 0xfe1af:$hawkstr1: HawkEye Keylogger
        • 0xfeff0:$hawkstr1: HawkEye Keylogger
        • 0xff31f:$hawkstr1: HawkEye Keylogger
        • 0xff47a:$hawkstr1: HawkEye Keylogger
        • 0xff5dd:$hawkstr1: HawkEye Keylogger
        • 0xff856:$hawkstr1: HawkEye Keylogger
        • 0x7bf1d:$hawkstr2: Dear HawkEye Customers!
        • 0x7d552:$hawkstr2: Dear HawkEye Customers!
        • 0x7d6a9:$hawkstr2: Dear HawkEye Customers!
        • 0x7d810:$hawkstr2: Dear HawkEye Customers!
        • 0xfdd3d:$hawkstr2: Dear HawkEye Customers!
        • 0xff372:$hawkstr2: Dear HawkEye Customers!
        • 0xff4c9:$hawkstr2: Dear HawkEye Customers!
        • 0xff630:$hawkstr2: Dear HawkEye Customers!
        • 0x7c03e:$hawkstr3: HawkEye Logger Details:
        Click to see the 85 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        23.2.company certificate.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8ce:$key: HawkEyeKeylogger
        • 0x7db12:$salt: 099u787978786
        • 0x7bf0f:$string1: HawkEye_Keylogger
        • 0x7cd62:$string1: HawkEye_Keylogger
        • 0x7da72:$string1: HawkEye_Keylogger
        • 0x7c2f8:$string2: holdermail.txt
        • 0x7c318:$string2: holdermail.txt
        • 0x7c23a:$string3: wallet.dat
        • 0x7c252:$string3: wallet.dat
        • 0x7c268:$string3: wallet.dat
        • 0x7d636:$string4: Keylog Records
        • 0x7d94e:$string4: Keylog Records
        • 0x7db6a:$string5: do not script -->
        • 0x7b8b6:$string6: \pidloc.txt
        • 0x7b944:$string7: BSPLIT
        • 0x7b954:$string7: BSPLIT
        23.2.company certificate.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          23.2.company certificate.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            23.2.company certificate.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              23.2.company certificate.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bf67:$hawkstr1: HawkEye Keylogger
              • 0x7cda8:$hawkstr1: HawkEye Keylogger
              • 0x7d0d7:$hawkstr1: HawkEye Keylogger
              • 0x7d232:$hawkstr1: HawkEye Keylogger
              • 0x7d395:$hawkstr1: HawkEye Keylogger
              • 0x7d60e:$hawkstr1: HawkEye Keylogger
              • 0x7baf5:$hawkstr2: Dear HawkEye Customers!
              • 0x7d12a:$hawkstr2: Dear HawkEye Customers!
              • 0x7d281:$hawkstr2: Dear HawkEye Customers!
              • 0x7d3e8:$hawkstr2: Dear HawkEye Customers!
              • 0x7bc16:$hawkstr3: HawkEye Logger Details:
              Click to see the 5 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: company certificate.exe.6680.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeReversingLabs: Detection: 27%
              Multi AV Scanner detection for submitted fileShow sources
              Source: company certificate.exeReversingLabs: Detection: 27%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: company certificate.exeJoe Sandbox ML: detected
              Source: 3.2.company certificate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 3.2.company certificate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 23.2.company certificate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 23.2.company certificate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: company certificate.exe, 00000003.00000002.479851010.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 00000003.00000002.479851010.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: global trafficTCP traffic: 192.168.2.7:49757 -> 199.193.7.228:587
              Source: Joe Sandbox ViewIP Address: 199.193.7.228 199.193.7.228
              Source: global trafficTCP traffic: 192.168.2.7:49757 -> 199.193.7.228:587
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.490945929.0000000003D81000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.490945929.0000000003D81000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 40.78.5.0.in-addr.arpa
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.490945929.0000000003D81000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: company certificate.exe, 00000003.00000002.515417062.0000000007BA9000.00000004.00000001.sdmpString found in binary or memory: http://crl.usertrust.T
              Source: company certificate.exe, 00000003.00000002.515417062.0000000007BA9000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0
              Source: company certificate.exe, 00000003.00000002.515417062.0000000007BA9000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: company certificate.exe, 00000003.00000003.258394179.0000000005EA3000.00000004.00000001.sdmpString found in binary or memory: http://en.w
              Source: company certificate.exe, 00000003.00000003.254520197.0000000005EC3000.00000004.00000001.sdmpString found in binary or memory: http://en.wg
              Source: company certificate.exe, 00000003.00000003.255806677.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmp, company certificate.exe, 00000003.00000003.256165703.0000000005EDE000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.490945929.0000000003D81000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: company certificate.exe, 00000003.00000002.515417062.0000000007BA9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
              Source: company certificate.exe, 00000000.00000002.318841883.0000000002DA2000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.484982853.0000000002D81000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.518948800.0000000002A41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
              Source: WerFault.exe, 00000006.00000003.269538186.0000000004F00000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
              Source: company certificate.exe, 00000003.00000002.490772961.0000000003156000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.479851010.0000000000402000.00000040.00000001.sdmp, company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlM
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmliTr
              Source: company certificate.exe, 00000003.00000003.260182152.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: company certificate.exe, 00000003.00000003.260182152.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
              Source: company certificate.exe, 00000003.00000003.260182152.0000000005EA2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u&oD
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmp, company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.269113560.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: company certificate.exe, 00000003.00000003.269668248.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: company certificate.exe, 00000003.00000003.269668248.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/M
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersBO
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: company certificate.exe, 00000003.00000002.502923924.0000000005EA0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
              Source: company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=I
              Source: company certificate.exe, 00000003.00000003.269113560.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF=I
              Source: company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
              Source: company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
              Source: company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsdJI
              Source: company certificate.exe, 00000003.00000003.272470981.0000000005EAE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
              Source: company certificate.exe, 00000003.00000003.273947366.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
              Source: company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
              Source: company certificate.exe, 00000003.00000003.270774548.0000000005EA8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
              Source: company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
              Source: company certificate.exe, 00000003.00000003.273551600.0000000005EAD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
              Source: company certificate.exe, 00000003.00000003.270913690.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsIq
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: company certificate.exe, 00000003.00000003.258394179.0000000005EA3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnht
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000003.260460041.0000000005EA7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: company certificate.exe, 00000003.00000003.260460041.0000000005EA7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/AI
              Source: company certificate.exe, 00000003.00000003.260460041.0000000005EA7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/XI
              Source: company certificate.exe, 00000003.00000003.260460041.0000000005EA7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-e
              Source: company certificate.exe, 00000003.00000003.260460041.0000000005EA7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/eIo
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l-gJI
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nIV
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s/I
              Source: company certificate.exe, 00000003.00000003.261486626.0000000005EAA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/tIp
              Source: company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: company certificate.exe, 00000003.00000003.255280385.0000000005EDE000.00000004.00000001.sdmp, company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: company certificate.exe, 00000003.00000003.255280385.0000000005EDE000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com5
              Source: company certificate.exe, 00000003.00000003.255014906.00000000014DB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coml
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: company certificate.exe, 00000003.00000002.485247901.0000000002DEB000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: company certificate.exe, 00000003.00000002.503278066.0000000005F90000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: company certificate.exe, 00000000.00000002.322004947.0000000003DDD000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.301404475.0000000004EC0000.00000004.00000001.sdmp, company certificate.exe, 00000009.00000002.525128674.0000000003B5D000.00000004.00000001.sdmpString found in binary or memory: https://pastebin.com/raw/W63zsRav
              Source: company certificate.exe, 00000003.00000002.515417062.0000000007BA9000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/4
              Source: company certificate.exe, 00000003.00000002.515417062.0000000007BA9000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.437983346.000000000431A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000022.00000002.520109043.00000000043CD000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.485320565.0000000003B2D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.525128674.0000000003B5D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000012.00000003.326965812.0000000005510000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.463829302.000000000438D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000013.00000002.412928304.000000000407D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.442976094.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000019.00000002.476738899.0000000004629000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.489685698.000000000301A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.479851010.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.422887279.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.489720094.000000000302A000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.322004947.0000000003DDD000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001E.00000002.491456087.0000000003DCA000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPE
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\company certificate.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\company certificate.exeJump to behavior
              Source: company certificate.exe, 00000000.00000002.309715329.0000000000F28000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
              Source: C:\Users\user\Desktop\company certificate.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000013.00000002.437983346.000000000431A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000002.437983346.000000000431A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000022.00000002.520109043.00000000043CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000022.00000002.520109043.00000000043CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001E.00000002.485320565.0000000003B2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000001E.00000002.485320565.0000000003B2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000009.00000002.525128674.0000000003B5D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000009.00000002.525128674.0000000003B5D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000012.00000003.326965812.0000000005510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000012.00000003.326965812.0000000005510000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000019.00000002.463829302.000000000438D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000019.00000002.463829302.000000000438D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000013.00000002.412928304.000000000407D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000013.00000002.412928304.000000000407D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000017.00000002.442976094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000017.00000002.442976094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000019.00000002.476738899.0000000004629000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000019.00000002.476738899.0000000004629000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.489685698.000000000301A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.479851010.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000003.00000002.479851010.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000024.00000002.422887279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000024.00000002.422887279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.489720094.000000000302A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.322004947.0000000003DDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.322004947.0000000003DDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0000001E.00000002.491456087.0000000003DCA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0000001E.00000002.491456087.0000000003DCA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 0_2_008B16DD0_2_008B16DD
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_00A416DD3_2_00A416DD
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0139B29C3_2_0139B29C
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0139C3103_2_0139C310
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0139B2903_2_0139B290
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_013999D03_2_013999D0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 3_2_0139DFD03_2_0139DFD0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 9_2_005816DD9_2_005816DD
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 9_2_00D858809_2_00D85880
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 9_2_00D82D3C9_2_00D82D3C
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 9_2_00D83E009_2_00D83E00
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 9_2_010795E89_2_010795E8
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 9_2_0107D9509_2_0107D950
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 9_2_01079EB89_2_01079EB8
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 9_2_010792A09_2_010792A0
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 19_2_00C616DD19_2_00C616DD
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 19_2_02D25E9819_2_02D25E98
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 19_2_02D23E3819_2_02D23E38
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 19_2_02D257E719_2_02D257E7
              Source: C:\Users\user\Desktop\company certificate.exeCode function: 19_2_02D23E0019_2_02D23E00
              Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 836
              Source: company certificate.exeStatic PE information: invalid certificate
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.309715329.0000000000F28000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmpBinary or memory string: OriginalFilename?Q~ vs company certificate.exe
              Source: company certificate.exe, 00000000.00000002.322004947.0000000003DDD000.00000004.00000001.sdmpBinary or memory string: OriginalFilename~ vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000003.00000002.483193824.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs company certificate.exe
              Source: company certificate.exe, 00000003.00000002.480301988.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilename?Q~ vs company certificate.exe
              Source: company certificate.exe, 00000003.00000002.489882428.0000000003048000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 00000003.00000002.490945929.0000000003D81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 00000003.00000002.490945929.0000000003D81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs company certificate.exe
              Source: company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs company certificate.exe
              Source: company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs company certificate.exe
              Source: company certificate.exe, 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmpBinary or memory string: OriginalFilename?Q~ vs company certificate.exe
              Source: company certificate.exe, 00000009.00000002.525128674.0000000003B5D000.00000004.00000001.sdmpBinary or memory string: OriginalFilename~ vs company certificate.exe
              Source: company certificate.exeBinary or memory string: OriginalFilename vs company certificate.exe
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
              Source: 00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000022.00000002.525539178.0000000004668000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000002.526433434.0000000003DFB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000013.00000002.437983346.000000000431A000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000013.00000002.437983346.000000000431A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000022.00000002.520109043.00000000043CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000022.00000002.520109043.00000000043CD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001E.00000002.485320565.0000000003B2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000001E.00000002.485320565.0000000003B2D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000009.00000002.525128674.0000000003B5D000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000009.00000002.525128674.0000000003B5D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000012.00000003.326965812.0000000005510000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000012.00000003.326965812.0000000005510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000019.00000002.463829302.000000000438D000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000019.00000002.463829302.000000000438D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000013.00000002.412928304.000000000407D000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000013.00000002.412928304.000000000407D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000017.00000002.442976094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000017.00000002.442976094.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.325675344.0000000004077000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000019.00000002.476738899.0000000004629000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000019.00000002.476738899.0000000004629000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.489685698.000000000301A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.479851010.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000003.00000002.479851010.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000024.00000002.422887279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000024.00000002.422887279.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.489720094.000000000302A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.322004947.0000000003DDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.322004947.0000000003DDD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0000001E.00000002.491456087.0000000003DCA000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0000001E.00000002.491456087.0000000003DCA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 23.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 3.2.company certificate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: company certificate.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: company certificate.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 3.2.company certificate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'unzS+pg42vugb6FMOcS69NO7+3YGikCOemKckEqykzUy/t0qEMMoJX39kx48vBTArmXSBHyaz0ya2N0Xwgpoug==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: 23.2.company certificate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'unzS+pg42vugb6FMOcS69NO7+3YGikCOemKckEqykzUy/t0qEMMoJX39kx48vBTArmXSBHyaz0ya2N0Xwgpoug==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: company certificate.exe, 00000000.00000002.310571054.0000000000FC1000.00000004.00000020.sdmpBinary or memory string: inaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
              Source: company certificate.exe, 00000000.00000002.310571054.0000000000FC1000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb8C9FA}\InprocServer32P
              Source: company certificate.exe, 00000000.00000002.334539748.0000000005C40000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb
              Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@41/16@2/3
              Source: C:\Users\user\Desktop\company certificate.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\company certificate.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6680
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6712:120:WilError_01
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6772
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1600
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01