Loading ...

Play interactive tourEdit tour

Analysis Report office.exe

Overview

General Information

Sample Name:office.exe
Analysis ID:299245
MD5:0d139e4c677b01e44799bc5106286800
SHA1:824bbf9e1cd9b56de37f1a939c96b1a19b252d00
SHA256:29a9dba7f6eec11df813a5e624bf3d6bda29ac832191df69a6253ad5f3db924c
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • office.exe (PID: 1888 cmdline: 'C:\Users\user\Desktop\office.exe' MD5: 0D139E4C677B01E44799BC5106286800)
    • office.exe (PID: 5788 cmdline: 'C:\Users\user\Desktop\office.exe' MD5: 0D139E4C677B01E44799BC5106286800)
      • vbc.exe (PID: 6924 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5664 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6c6:$key: HawkEyeKeylogger
  • 0x7d8a4:$salt: 099u787978786
  • 0x7bcd3:$string1: HawkEye_Keylogger
  • 0x7cb12:$string1: HawkEye_Keylogger
  • 0x7d804:$string1: HawkEye_Keylogger
  • 0x7c0a8:$string2: holdermail.txt
  • 0x7c0c8:$string2: holdermail.txt
  • 0x7bfea:$string3: wallet.dat
  • 0x7c002:$string3: wallet.dat
  • 0x7c018:$string3: wallet.dat
  • 0x7d3e6:$string4: Keylog Records
  • 0x7d6fe:$string4: Keylog Records
  • 0x7d8fc:$string5: do not script -->
  • 0x7b6ae:$string6: \pidloc.txt
  • 0x7b708:$string7: BSPLIT
  • 0x7b718:$string7: BSPLIT
00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd2b:$hawkstr1: HawkEye Keylogger
        • 0x7cb58:$hawkstr1: HawkEye Keylogger
        • 0x7ce87:$hawkstr1: HawkEye Keylogger
        • 0x7cfe2:$hawkstr1: HawkEye Keylogger
        • 0x7d145:$hawkstr1: HawkEye Keylogger
        • 0x7d3be:$hawkstr1: HawkEye Keylogger
        • 0x7b8b9:$hawkstr2: Dear HawkEye Customers!
        • 0x7ceda:$hawkstr2: Dear HawkEye Customers!
        • 0x7d031:$hawkstr2: Dear HawkEye Customers!
        • 0x7d198:$hawkstr2: Dear HawkEye Customers!
        • 0x7b9da:$hawkstr3: HawkEye Logger Details:
        Click to see the 51 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          5.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            1.2.office.exe.2270000.1.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x79ac6:$key: HawkEyeKeylogger
            • 0x7bca4:$salt: 099u787978786
            • 0x7a0d3:$string1: HawkEye_Keylogger
            • 0x7af12:$string1: HawkEye_Keylogger
            • 0x7bc04:$string1: HawkEye_Keylogger
            • 0x7a4a8:$string2: holdermail.txt
            • 0x7a4c8:$string2: holdermail.txt
            • 0x7a3ea:$string3: wallet.dat
            • 0x7a402:$string3: wallet.dat
            • 0x7a418:$string3: wallet.dat
            • 0x7b7e6:$string4: Keylog Records
            • 0x7bafe:$string4: Keylog Records
            • 0x7bcfc:$string5: do not script -->
            • 0x79aae:$string6: \pidloc.txt
            • 0x79b08:$string7: BSPLIT
            • 0x79b18:$string7: BSPLIT
            5.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              1.2.office.exe.2270000.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                Click to see the 39 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: vbc.exe.5664.5.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                Machine Learning detection for sampleShow sources
                Source: office.exeJoe Sandbox ML: detected
                Source: 0.2.office.exe.4310000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 1.2.office.exe.2270000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 1.2.office.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.office.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.office.exe.2390000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.office.exe.2390000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.office.exe.4370000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.office.exe.4370000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.office.exe.2300000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.office.exe.2300000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: office.exeBinary or memory string: [autorun]
                Source: office.exeBinary or memory string: autorun.inf
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00408868 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408868
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_004059F8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_004059F8
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,5_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,5_2_00407E0E

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2019926 ET TROJAN HawkEye Keylogger Report SMTP 192.168.2.7:49734 -> 208.91.199.224:587
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: global trafficTCP traffic: 192.168.2.7:49734 -> 208.91.199.224:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: global trafficTCP traffic: 192.168.2.7:49734 -> 208.91.199.224:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000005.00000002.273392695.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000005.00000002.273392695.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exe, 00000005.00000002.274024546.000000000092E000.00000004.00000001.sdmpString found in binary or memory: go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login/7qD equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000005.00000002.274024546.000000000092E000.00000004.00000001.sdmpString found in binary or memory: go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login/7qD equals www.yahoo.com (Yahoo)
                Source: office.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000005.00000003.271503758.000000000092B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
                Source: vbc.exe, 00000005.00000003.271503758.000000000092B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
                Source: unknownDNS traffic detected: queries for: 45.97.11.0.in-addr.arpa
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: office.exe, 00000001.00000002.511201044.0000000002921000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: office.exeString found in binary or memory: http://whatismyipaddress.com/
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: office.exe, 00000001.00000003.249240944.000000000501A000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: office.exe, 00000001.00000003.249240944.000000000501A000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlnjq
                Source: office.exe, 00000001.00000003.247140178.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: office.exe, 00000001.00000003.247140178.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.Bt
                Source: office.exe, 00000001.00000003.247140178.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                Source: office.exe, 00000001.00000003.247838473.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comP
                Source: office.exe, 00000001.00000003.247505115.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comS
                Source: office.exe, 00000001.00000003.247505115.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: office.exe, 00000001.00000003.247505115.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCpr
                Source: office.exe, 00000001.00000003.247505115.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCyr
                Source: office.exe, 00000001.00000003.247140178.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comei
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: office.exe, 00000001.00000003.247008341.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml-g
                Source: office.exe, 00000001.00000003.247505115.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coms-m
                Source: office.exe, 00000001.00000003.247505115.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comtt
                Source: office.exe, 00000001.00000003.247092147.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: office.exe, 00000001.00000002.514083279.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: office.exe, 00000001.00000002.514083279.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
                Source: office.exe, 00000001.00000002.514083279.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comld
                Source: office.exe, 00000001.00000002.514083279.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoC
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: office.exe, 00000001.00000003.246388207.000000000501B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: office.exe, 00000001.00000003.246388207.000000000501B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: office.exe, 00000001.00000003.245937825.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnLr
                Source: office.exe, 00000001.00000003.252301668.0000000005026000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: office.exe, 00000001.00000003.249127840.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: office.exe, 00000001.00000003.248482909.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
                Source: office.exe, 00000001.00000003.249127840.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                Source: office.exe, 00000001.00000003.248482909.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-i
                Source: office.exe, 00000001.00000003.249127840.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
                Source: office.exe, 00000001.00000003.249127840.0000000004FEB000.00000004.00000001.sdmp, office.exe, 00000001.00000003.248762921.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: office.exe, 00000001.00000003.249127840.0000000004FEB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/3
                Source: office.exe, 00000001.00000003.249928848.000000000501B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                Source: vbc.exe, vbc.exe, 00000005.00000002.273392695.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: office.exe, 00000001.00000003.249307105.000000000501A000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: office.exe, 00000001.00000003.249307105.000000000501A000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-u
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: office.exe, 00000001.00000002.511201044.0000000002921000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: office.exe, 00000001.00000003.247897981.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlp
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: office.exe, 00000001.00000003.250031130.000000000501B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: office.exe, 00000001.00000002.514941291.0000000006272000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: office.exe, 00000001.00000003.247140178.000000000501C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exe, 00000005.00000003.271603211.0000000000A2D000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
                Source: vbc.exe, 00000005.00000003.271603211.0000000000A2D000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
                Source: vbc.exe, 00000005.00000003.271603211.0000000000A2D000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.
                Source: vbc.exe, 00000005.00000003.271503758.000000000092B000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
                Source: office.exe, vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: office.exe, 00000001.00000002.511201044.0000000002921000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                Source: office.exe, 00000001.00000002.511201044.0000000002921000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com/
                Source: office.exe, vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.246879081.0000000004407000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.509181169.0000000002392000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000001.242584000.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.509008599.0000000002302000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.507722847.0000000000497000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.508881636.0000000002270000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.511201044.0000000002921000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: office.exe PID: 5788, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: office.exe PID: 1888, type: MEMORY
                Source: Yara matchFile source: 1.2.office.exe.2270000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.1.office.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.office.exe.2390000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.office.exe.2270000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.office.exe.4310000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.office.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.office.exe.2300000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.office.exe.4370000.3.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 0.2.office.exe.4370000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.office.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.office.exe.2390000.3.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 1.2.office.exe.2300000.2.unpack, Form1.cs.Net Code: HookKeyboard
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,4_2_0040AC8A
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00424BD4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00424BD4
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00435C3C GetKeyboardState,0_2_00435C3C
                Source: Yara matchFile source: Process Memory Space: office.exe PID: 5788, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: office.exe PID: 1888, type: MEMORY

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.246879081.0000000004407000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.246879081.0000000004407000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.509181169.0000000002392000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.509181169.0000000002392000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000001.242584000.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000001.242584000.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.509008599.0000000002302000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.509008599.0000000002302000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.507722847.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.507722847.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.508881636.0000000002270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.508881636.0000000002270000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.511201044.0000000002921000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.office.exe.2270000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.office.exe.2270000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.1.office.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.1.office.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.office.exe.2390000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.office.exe.2390000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.office.exe.2270000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.office.exe.2270000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.office.exe.4310000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.office.exe.4310000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.office.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.office.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.office.exe.2300000.2.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.office.exe.2300000.2.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.office.exe.4370000.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.office.exe.4370000.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00438B74 NtdllDefWindowProc_A,GetCapture,0_2_00438B74
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00453908 NtdllDefWindowProc_A,0_2_00453908
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00454084 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00454084
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00454134 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00454134
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_004484F8 GetSubMenu,SaveDC,RestoreDC,7306B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_004484F8
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_0042C860 NtdllDefWindowProc_A,0_2_0042C860
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_00490159 NtCreateSection,1_2_00490159
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,FreeLibrary,5_2_00408836
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_004484F80_2_004484F8
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_0044DFDC0_2_0044DFDC
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0040D4261_2_0040D426
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0040D5231_2_0040D523
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0041D5AE1_2_0041D5AE
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_004176461_2_00417646
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_004429BE1_2_004429BE
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_00446AF41_2_00446AF4
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0046ABFC1_2_0046ABFC
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_00463C4D1_2_00463C4D
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_00463CBE1_2_00463CBE
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0040ED031_2_0040ED03
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_00463D2F1_2_00463D2F
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_00463DC01_2_00463DC0
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0040CF921_2_0040CF92
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0041AFA61_2_0041AFA6
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0048F13D1_2_0048F13D
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_004899761_2_00489976
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_004F90171_2_004F9017
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_004F90A81_2_004F90A8
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_004A227A1_2_004A227A
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_004B028E1_2_004B028E
                Source: C:\Users\user\Desktop\office.exeCode function: 1_2_0043C7BC1_2_0043C7BC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404DDB4_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_0040BD8A4_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404E4C4_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404EBD4_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00404F4E4_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004044195_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004045165_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004135385_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004145A15_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040E6395_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004337AF5_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_004399B15_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0043DAE75_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00405CF65_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00403F855_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00411F995_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: C:\Users\user\Desktop\office.exeCode function: String function: 00404258 appears 76 times
                Source: C:\Users\user\Desktop\office.exeCode function: String function: 0044BA9D appears 35 times
                Source: office.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                Source: office.exe, 00000000.00000002.243731355.0000000002390000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs office.exe
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs office.exe
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs office.exe
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs office.exe
                Source: office.exe, 00000000.00000002.246786734.00000000043F2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs office.exe
                Source: office.exe, 00000000.00000002.243056091.000000000047F000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs office.exe
                Source: office.exeBinary or memory string: OriginalFilename vs office.exe
                Source: office.exeBinary or memory string: OriginalFileName vs office.exe
                Source: office.exe, 00000001.00000000.241991484.000000000047F000.00000002.00020000.sdmpBinary or memory string: OriginalFilename$ vs office.exe
                Source: office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs office.exe
                Source: office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs office.exe
                Source: office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs office.exe
                Source: office.exe, 00000001.00000002.515961564.0000000007230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs office.exe
                Source: office.exe, 00000001.00000002.507701321.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs office.exe
                Source: office.exe, 00000001.00000002.508272664.0000000000810000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs office.exe
                Source: office.exeBinary or memory string: OriginalFilename$ vs office.exe
                Source: 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.246879081.0000000004407000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.246879081.0000000004407000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.509181169.0000000002392000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.509181169.0000000002392000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000001.242584000.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000001.242584000.00000000004D2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.509008599.0000000002302000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.509008599.0000000002302000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.507722847.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.507722847.0000000000497000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.508881636.0000000002270000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.508881636.0000000002270000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.511201044.0000000002921000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.office.exe.2270000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.office.exe.2270000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.1.office.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.1.office.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.office.exe.2390000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.office.exe.2390000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.office.exe.2270000.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.office.exe.2270000.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.office.exe.4310000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.office.exe.4310000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.office.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.office.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.office.exe.2300000.2.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.office.exe.2300000.2.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.office.exe.4370000.3.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0.2.office.exe.4370000.3.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.office.exe.4370000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.office.exe.4370000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.office.exe.4370000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 0.2.office.exe.4370000.3.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.office.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.office.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.office.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.office.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.office.exe.4370000.3.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.office.exe.400000.0.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.office.exe.2390000.3.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.office.exe.2300000.2.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 1.2.office.exe.2300000.2.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.office.exe.2390000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 1.2.office.exe.400000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: 0.2.office.exe.4370000.3.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/3@4/4
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00421CEC GetLastError,FormatMessageA,0_2_00421CEC
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_004089E0 GetDiskFreeSpaceA,0_2_004089E0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,5_2_00411196
                Source: C:\Users\user\Desktop\office.exeCode function: 0_2_00415558 FindResourceA,0_2_00415558
                Source: C:\Users\user\Desktop\office.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                Source: C:\Users\user\Desktop\office.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\holdermail.txtJump to behavior
                Source: C:\Users\user\Desktop\office.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\Users\user\Desktop\office.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\office.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\office.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\office.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\office.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\office.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\office.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\office.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\office.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\office.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\office.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: office.exe, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: office.exe, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: office.exe, 00000000.00000002.246240676.0000000004372000.00000040.00000001.sdmp, office.exe, 00000001.00000002.507500849.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000005.00000002.273392695.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: office.exe, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: office.exe, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: office.exe, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: office.exe, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: unknownProcess created: C:\Users\user\Desktop\office.exe 'C:\Users\user\Desktop\office.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\office.exe 'C:\Users\user\Desktop\office.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\office.exeProcess created: C:\Users\user\Desktop\office.exe 'C:\Users\user\Desktop\office.exe' Jump to behavior
                Source: C:\Users\user\Desktop\office.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Users\user\Desktop\office.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Users\user\Desktop\office.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\office.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Users\user\Desktop\office.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: Binary string: zTs5.pdb6 source: office.exe, 00000001.00000001.242584000.00000000004D2000.00000040.00020000.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: office.exe
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: office.exe, vbc.exe
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: office.exe, vbc.exe

                Data Obfuscation: