Loading ...

Play interactive tourEdit tour

Analysis Report document.exe

Overview

General Information

Sample Name:document.exe
Analysis ID:298119
MD5:0e43f07d161f5d0f3739e5588e1bb3e5
SHA1:1c67ae07cc9f304cb40731f6ed64ec1684198aad
SHA256:32a1d99c12d4bbbf6b20ee43a25cf4dccf34ba30d8d40dc68d9c59d4c7ba25d5
Tags:exe

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • document.exe (PID: 2044 cmdline: 'C:\Users\user\Desktop\document.exe' MD5: 0E43F07D161F5D0F3739E5588E1BB3E5)
    • document.exe (PID: 6912 cmdline: 'C:\Users\user\Desktop\document.exe' MD5: 0E43F07D161F5D0F3739E5588E1BB3E5)
      • vbc.exe (PID: 5776 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2DB7.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6708 cmdline: 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp26BE.tmp' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • document.exe (PID: 6856 cmdline: 'C:\Users\user\Desktop\document.exe' 2 6912 4527000 MD5: 0E43F07D161F5D0F3739E5588E1BB3E5)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.661460467.0000000004422000.00000040.00000001.sdmpMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
  • 0x80f3a:$s2: _ScreenshotLogger
  • 0x80f07:$s3: _PasswordStealer
00000000.00000002.661460467.0000000004422000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      0000000E.00000002.810258534.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
      • 0x147b0:$a1: logins.json
      • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
      • 0x14f34:$s4: \mozsqlite3.dll
      • 0x137a4:$s5: SMTP Password
      0000000E.00000002.810258534.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 34 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.document.exe.4a30000.5.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
        • 0x6b8fa:$a1: logins.json
        • 0x6b85a:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
        • 0x6c07e:$s4: \mozsqlite3.dll
        • 0x6a8ee:$s5: SMTP Password
        2.2.document.exe.4a30000.5.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          2.2.document.exe.4a30000.5.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            2.2.document.exe.22b0000.3.unpackMAL_HawkEye_Keylogger_Gen_Dec18Detects HawkEye Keylogger RebornFlorian Roth
            • 0x480f3a:$s2: _ScreenshotLogger
            • 0x480f07:$s3: _PasswordStealer
            2.2.document.exe.22b0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              Click to see the 28 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: vbc.exe.5776.4.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
              Multi AV Scanner detection for domain / URLShow sources
              Source: eagleeyeapparels.comVirustotal: Detection: 11%Perma Link
              Source: mail.eagleeyeapparels.comVirustotal: Detection: 10%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: document.exeVirustotal: Detection: 38%Perma Link
              Source: document.exeReversingLabs: Detection: 22%
              Machine Learning detection for sampleShow sources
              Source: document.exeJoe Sandbox ML: detected
              Source: 0.2.document.exe.4420000.3.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.2.document.exe.43b0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 2.2.document.exe.2340000.4.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.document.exe.22b0000.3.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.2.document.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00408770 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408770
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0040599C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_0040599C
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00408770 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,3_2_00408770
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_0040599C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,3_2_0040599C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040A1A7 FindFirstFileW,FindNextFileW,4_2_0040A1A7

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: unknownDNS query: name: bot.whatismyipaddress.com
              Source: global trafficTCP traffic: 192.168.2.4:49734 -> 54.39.139.67:587
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
              Source: Joe Sandbox ViewIP Address: 54.39.139.67 54.39.139.67
              Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
              Source: Joe Sandbox ViewIP Address: 66.171.248.178 66.171.248.178
              Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
              Source: global trafficTCP traffic: 192.168.2.4:49734 -> 54.39.139.67:587
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_023FA186 recv,2_2_023FA186
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: bot.whatismyipaddress.com
              Source: vbc.exe, 00000004.00000003.675426433.0000000002221000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
              Source: vbc.exe, 00000004.00000003.675426433.0000000002221000.00000004.00000001.sdmpString found in binary or memory: %2C188%2C226&rtime=278&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=145&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591https://consent.google.com/done8https://consent.google.com/set?pc=s&uxe=4421591https://consent.google.com/sethttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=M
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.675600735.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.675600735.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exe, 00000004.00000002.676155807.0000000002222000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000004.00000002.676155807.0000000002222000.00000004.00000001.sdmpString found in binary or memory: chrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: unknownDNS traffic detected: queries for: bot.whatismyipaddress.com
              Source: document.exe, 00000002.00000002.923804869.0000000002C46000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com
              Source: document.exe, 00000002.00000002.922724163.0000000002A43000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.com/
              Source: document.exe, 00000002.00000002.923462190.0000000002BFE000.00000004.00000001.sdmpString found in binary or memory: http://bot.whatismyipaddress.comx&
              Source: document.exe, 00000002.00000002.928501445.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: document.exe, 00000002.00000002.928501445.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: document.exe, 00000002.00000002.928501445.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: document.exe, 00000002.00000002.928501445.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
              Source: document.exe, 00000002.00000002.928501445.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: document.exeString found in binary or memory: http://pomf.cat/upload.php
              Source: document.exe, 00000000.00000002.661460467.0000000004422000.00000040.00000001.sdmp, document.exe, 00000002.00000002.920684400.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.php&https://a.pomf.cat/
              Source: document.exe, 00000002.00000002.922724163.0000000002A43000.00000004.00000001.sdmpString found in binary or memory: http://pomf.cat/upload.phpCContent-Disposition:
              Source: document.exe, 00000002.00000002.928501445.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
              Source: vbc.exe, 00000004.00000002.675580798.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: vbc.exe, 0000000E.00000002.810258534.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: vbc.exe, 00000004.00000002.676155807.0000000002222000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
              Source: document.exe, 00000002.00000002.922724163.0000000002A43000.00000004.00000001.sdmpString found in binary or memory: https://a.pomf.cat/
              Source: vbc.exe, 00000004.00000003.675031681.0000000002223000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.675426433.0000000002221000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
              Source: vbc.exe, 00000004.00000003.675031681.0000000002223000.00000004.00000001.sdmp, vbc.exe, 00000004.00000003.675426433.0000000002221000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/medianet.php?cid=8CU157172&cr
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: document.exe, 00000002.00000002.928501445.00000000080C0000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000004.00000003.675031681.0000000002223000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlhttps://www.google.com/intl/en_uk/chrome/http

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 00000000.00000002.661460467.0000000004422000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.920684400.000000000049F000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.922737493.0000000002A49000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.921619919.00000000022B2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.920429567.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.662180338.00000000044BF000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.921319650.0000000000A40000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.921713472.0000000002342000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: document.exe PID: 2044, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: document.exe PID: 6912, type: MEMORY
              Source: Yara matchFile source: 2.2.document.exe.22b0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.document.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.document.exe.a40000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.document.exe.2340000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.document.exe.43b0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.document.exe.a40000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.document.exe.4420000.3.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00422A30 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00422A30
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00423074 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,3_2_00423074
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00434C9C GetKeyboardState,0_2_00434C9C

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000000.00000002.661460467.0000000004422000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0000000E.00000002.810258534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000002.00000002.920684400.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.922737493.0000000002A49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.921619919.00000000022B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.920429567.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000000.00000002.662180338.00000000044BF000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.925878386.0000000004A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 00000002.00000002.921319650.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 00000002.00000002.921319650.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 00000002.00000002.921713472.0000000002342000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: document.exe PID: 2044, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: Process Memory Space: document.exe PID: 6912, type: MEMORYMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.document.exe.4a30000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 2.2.document.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.document.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 2.2.document.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.document.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 2.2.document.exe.a40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.document.exe.a40000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 2.2.document.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.document.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 0.2.document.exe.43b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.document.exe.43b0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 2.2.document.exe.a40000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 2.2.document.exe.a40000.2.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Source: 2.2.document.exe.4a30000.5.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
              Source: 0.2.document.exe.4420000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye Keylogger Reborn Author: Florian Roth
              Source: 0.2.document.exe.4420000.3.unpack, type: UNPACKEDPEMatched rule: HawkEye v9 Payload Author: ditekshen
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: document.exe
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00452BE4 NtdllDefWindowProc_A,0_2_00452BE4
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00437BD4 NtdllDefWindowProc_A,GetCapture,0_2_00437BD4
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00453360 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00453360
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00453410 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00453410
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004477D4 GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004477D4
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0042B940 NtdllDefWindowProc_A,0_2_0042B940
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_00498159 NtCreateSection,2_2_00498159
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00452BE4 NtdllDefWindowProc_A,3_2_00452BE4
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00437BD4 NtdllDefWindowProc_A,GetCapture,3_2_00437BD4
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00453360 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_00453360
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00453410 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_00453410
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_004477D4 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,3_2_004477D4
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_0042B940 NtdllDefWindowProc_A,3_2_0042B940
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,4_2_0040A5A9
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0044D2B80_2_0044D2B8
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004477D40_2_004477D4
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_00444A662_2_00444A66
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_004919762_2_00491976
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_0049713D2_2_0049713D
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_004E1D4E2_2_004E1D4E
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_023F24782_2_023F2478
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_024036102_2_02403610
              Source: C:\Users\user\Desktop\document.exeCode function: 2_2_0240368C2_2_0240368C
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_0044D2B83_2_0044D2B8
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_004477D43_2_004477D4
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004360CE4_2_004360CE
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040509C4_2_0040509C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004051994_2_00405199
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0043C2D04_2_0043C2D0
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004404064_2_00440406
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040451D4_2_0040451D
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004045FF4_2_004045FF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040458E4_2_0040458E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_004046904_2_00404690
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00414A514_2_00414A51
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404C084_2_00404C08
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00445190 appears 33 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416849 appears 50 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004166E8 appears 31 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00416A91 appears 80 times
              Source: C:\Users\user\Desktop\document.exeCode function: String function: 00403D20 appears 37 times
              Source: C:\Users\user\Desktop\document.exeCode function: String function: 0040BFD8 appears 35 times
              Source: C:\Users\user\Desktop\document.exeCode function: String function: 00404268 appears 38 times
              Source: C:\Users\user\Desktop\document.exeCode function: String function: 004065C8 appears 31 times
              Source: C:\Users\user\Desktop\document.exeCode function: String function: 00404244 appears 158 times
              Source: C:\Users\user\Desktop\document.exeCode function: String function: 004038A4 appears 77 times
              Source: C:\Users\user\Desktop\document.exeCode function: String function: 00403CCC appears 31 times
              Source: C:\Users\user\Desktop\document.exeCode function: String function: 004034D8 appears 71 times
              Source: document.exe, 00000000.00000002.661460467.0000000004422000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs document.exe
              Source: document.exe, 00000000.00000002.658703831.00000000004FE000.00000004.00020000.sdmpBinary or memory string: OriginalFilename$ vs document.exe
              Source: document.exe, 00000000.00000002.659002273.00000000022C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs document.exe
              Source: document.exeBinary or memory string: OriginalFilename vs document.exe
              Source: document.exe, 00000002.00000002.928178604.0000000007B90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs document.exe
              Source: document.exe, 00000002.00000000.656420154.00000000004FE000.00000008.00020000.sdmpBinary or memory string: OriginalFilename$ vs document.exe
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs document.exe
              Source: document.exe, 00000002.00000002.927829272.0000000007940000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmiutils.dll.muij% vs document.exe
              Source: document.exe, 00000002.00000002.921126337.0000000000761000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs document.exe
              Source: document.exe, 00000002.00000002.920684400.000000000049F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameRebornX Stub.exe" vs document.exe
              Source: document.exe, 00000003.00000000.658117423.00000000004FE000.00000008.00020000.sdmpBinary or memory string: OriginalFilename$ vs document.exe
              Source: document.exe, 00000003.00000002.921336818.0000000002360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs document.exe
              Source: document.exeBinary or memory string: OriginalFilename$ vs document.exe
              Source: 00000000.00000002.661460467.0000000004422000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0000000E.00000002.810258534.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000002.00000002.920684400.000000000049F000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.922737493.0000000002A49000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.921619919.00000000022B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.920429567.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.662180338.00000000044BF000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.925878386.0000000004A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 00000002.00000002.921319650.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.921319650.0000000000A40000.00000004.00000001.sdmp, type: MEMORYMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 00000002.00000002.921713472.0000000002342000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: document.exe PID: 2044, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: document.exe PID: 6912, type: MEMORYMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: Process Memory Space: document.exe PID: 6912, type: MEMORYMatched rule: CobaltStrike_C2_Host_Indicator date = 2019-08-16, author = yara@s3c.za.net, description = Detects CobaltStrike C2 host artifacts
              Source: 2.2.document.exe.4a30000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 2.2.document.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.document.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 2.2.document.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.document.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 2.2.document.exe.a40000.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.document.exe.a40000.2.raw.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 2.2.document.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.document.exe.2340000.4.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.document.exe.43b0000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.document.exe.43b0000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 14.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 14.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 2.2.document.exe.a40000.2.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.document.exe.a40000.2.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 2.2.document.exe.4a30000.5.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
              Source: 0.2.document.exe.4420000.3.unpack, type: UNPACKEDPEMatched rule: MAL_HawkEye_Keylogger_Gen_Dec18 date = 2018-12-10, hash1 = b8693e015660d7bd791356b352789b43bf932793457d54beae351cf7a3de4dad, author = Florian Roth, description = Detects HawkEye Keylogger Reborn, reference = https://twitter.com/James_inthe_box/status/1072116224652324870, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.document.exe.4420000.3.unpack, type: UNPACKEDPEMatched rule: HawkEyev9 author = ditekshen, description = HawkEye v9 Payload, cape_type = HawkEyev9 Payload
              Source: 0.2.document.exe.4420000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.document.exe.4420000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.document.exe.4420000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.document.exe.4420000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.document.exe.2340000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.document.exe.2340000.4.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.document.exe.2340000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.document.exe.2340000.4.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.document.exe.22b0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.document.exe.22b0000.3.unpack, u200d????????????????????????????????????????.csCryptographic APIs: 'CreateDecryptor'
              Source: 2.2.document.exe.22b0000.3.unpack, u200c???????????????????????????????????????.csCryptographic APIs: 'TransformFinalBlock'
              Source: 2.2.document.exe.22b0000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 0.2.document.exe.4420000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 0.2.document.exe.4420000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 2.2.document.exe.22b0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 2.2.document.exe.22b0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 2.2.document.exe.22b0000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 2.2.document.exe.2340000.4.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 2.2.document.exe.2340000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 2.2.document.exe.2340000.4.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 2.2.document.exe.22b0000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 2.2.document.exe.22b0000.3.unpack, u202d????????????????????????????????????????.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.document.exe.4420000.3.unpack, u206a????????????????????????????????????????.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
              Source: 2.2.document.exe.2340000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 2.2.document.exe.2340000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 2.2.document.exe.2340000.4.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: 0.2.document.exe.4420000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void Microsoft.Win32.RegistryKey::SetAccessControl(System.Security.AccessControl.RegistrySecurity)
              Source: 0.2.document.exe.4420000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Security.Principal.IdentityReference System.Security.Principal.SecurityIdentifier::Translate(System.Type)
              Source: 0.2.document.exe.4420000.3.unpack, u206f????????????????????????????????????????.csSecurity API names: System.Void System.Security.AccessControl.RegistrySecurity::AddAccessRule(System.Security.AccessControl.RegistryAccessRule)
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@9/2@2/2
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0041FB48 GetLastError,FormatMessageA,0_2_0041FB48
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004088E8 GetDiskFreeSpaceA,0_2_004088E8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,4_2_00413C19
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00413728 FindResourceA,0_2_00413728
              Source: C:\Users\user\Desktop\document.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Users\user\Desktop\document.exeMutant created: \Sessions\1\BaseNamedObjects\f98d37f4-ca90-4ed7-9f6f-6121c4014605
              Source: C:\Users\user\Desktop\document.exeFile created: C:\Users\user\AppData\Local\Temp\4068932e-693a-0725-c793-7bd83ae177f8Jump to behavior
              Source: C:\Users\user\Desktop\document.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\document.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\Desktop\document.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\document.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
              Source: C:\Users\user\Desktop\document.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Users\user\Desktop\document.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Users\user\Desktop\document.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessorId FROM Win32_Processor
              Source: C:\Users\user\Desktop\document.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT Name FROM Win32_Processor
              Source: C:\Users\user\Desktop\document.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\document.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.675600735.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: document.exeVirustotal: Detection: 38%
              Source: document.exeReversingLabs: Detection: 22%
              Source: unknownProcess created: C:\Users\user\Desktop\document.exe 'C:\Users\user\Desktop\document.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\document.exe 'C:\Users\user\Desktop\document.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\document.exe 'C:\Users\user\Desktop\document.exe' 2 6912 4527000
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2DB7.tmp'
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp26BE.tmp'
              Source: C:\Users\user\Desktop\document.exeProcess created: C:\Users\user\Desktop\document.exe 'C:\Users\user\Desktop\document.exe' Jump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess created: C:\Users\user\Desktop\document.exe 'C:\Users\user\Desktop\document.exe' 2 6912 4527000Jump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp2DB7.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe' /stext 'C:\Users\user\AppData\Local\Temp\tmp26BE.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\document.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\document.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Users\user\Desktop\document.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
              Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: document.exe, 00000002.00000002.923862578.0000000002C66000.00000004.00000001.sdmp, vbc.exe
              Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: document.exe, 00000002.00000002.926343098.0000000006601000.00000004.00000001.sdmp, vbc.exe, 0000000E.00000002.810258534.0000000000400000.00000040.00000001.sdmp
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0043E990 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0043E990
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0043EFC0 push 0043F04Dh; ret 0_2_0043F045
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00458064 push 00458097h; ret 0_2_0045808F
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00426008 push 00426034h; ret 0_2_0042602C
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0042C0C8 push 0042C0F4h; ret 0_2_0042C0EC
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00410100 push 00410214h; ret 0_2_0041020C
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0042C11C push 0042C148h; ret 0_2_0042C140
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004101E8 push 00410214h; ret 0_2_0041020C
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0042619E push 004261CCh; ret 0_2_004261C4
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004261A0 push 004261CCh; ret 0_2_004261C4
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0045A274 push 0045A29Ah; ret 0_2_0045A292
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0044020C push ecx; mov dword ptr [esp], edx0_2_00440210
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0045A23C push 0045A268h; ret 0_2_0045A260
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0044828C push 004482F7h; ret 0_2_004482EF
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00416460 push ecx; mov dword ptr [esp], edx0_2_00416462
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004404EC push 00440518h; ret 0_2_00440510
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00406486 push 004064D9h; ret 0_2_004064D1
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00406488 push 004064D9h; ret 0_2_004064D1
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0042E5E0 push 0042E64Ah; ret 0_2_0042E642
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0042E64C push 0042E6B6h; ret 0_2_0042E6AE
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00406658 push 00406684h; ret 0_2_0040667C
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004066D0 push 004066FCh; ret 0_2_004066F4
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0041C83A push 0041C8E2h; ret 0_2_0041C8DA
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0041C83C push 0041C8E2h; ret 0_2_0041C8DA
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0041C946 push 0041CC44h; ret 0_2_0041CC3C
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00426960 push 0042698Ch; ret 0_2_00426984
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00426920 push 0042694Ch; ret 0_2_00426944
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004149D8 push ecx; mov dword ptr [esp], edx0_2_004149D9
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00412994 push ecx; mov dword ptr [esp], edx0_2_00412999
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00434A3C push ecx; mov dword ptr [esp], ecx0_2_00434A40
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00412BBC push ecx; mov dword ptr [esp], edx0_2_00412BC1
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0041CC18 push 0041CC44h; ret 0_2_0041CC3C
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00452C6C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00452C6C
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004263D8 IsIconic,GetWindowPlacement,GetWindowRect,0_2_004263D8
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0043A434 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043A434
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_004392A8 IsIconic,GetCapture,0_2_004392A8
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00453360 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00453360
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00453410 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00453410
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_00439B50 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_00439B50
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00452C6C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,3_2_00452C6C
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_004263D8 IsIconic,GetWindowPlacement,GetWindowRect,3_2_004263D8
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_0043A434 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,3_2_0043A434
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_004392A8 IsIconic,GetCapture,3_2_004392A8
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00453360 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,3_2_00453360
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00453410 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,3_2_00453410
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_00439B50 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,3_2_00439B50
              Source: C:\Users\user\Desktop\document.exeCode function: 3_2_0044FD60 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,3_2_0044FD60
              Source: C:\Users\user\Desktop\document.exeCode function: 0_2_0043E990 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,0_2_0043E990
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\document.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              bar