Loading ...

Play interactive tourEdit tour

Analysis Report NDt93WWQwd089H7.exe

Overview

General Information

Sample Name:NDt93WWQwd089H7.exe
Analysis ID:338401
MD5:0f330f518f4f71f0735cce4eaf1612d7
SHA1:f34909417588543112974ebbc0fa8236a8a604c1
SHA256:702554b4a0770d70bd5972318d2294ef2b26001595b574d122264b8c1793457c
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NDt93WWQwd089H7.exe (PID: 6980 cmdline: 'C:\Users\user\Desktop\NDt93WWQwd089H7.exe' MD5: 0F330F518F4F71F0735CCE4EAF1612D7)
    • schtasks.exe (PID: 7124 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\etUpjEKgKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp7AE9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • NDt93WWQwd089H7.exe (PID: 3548 cmdline: {path} MD5: 0F330F518F4F71F0735CCE4EAF1612D7)
      • dw20.exe (PID: 2244 cmdline: dw20.exe -x -s 2136 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6524 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6f7:$key: HawkEyeKeylogger
  • 0x7d93b:$salt: 099u787978786
  • 0x7bd38:$string1: HawkEye_Keylogger
  • 0x7cb8b:$string1: HawkEye_Keylogger
  • 0x7d89b:$string1: HawkEye_Keylogger
  • 0x7c121:$string2: holdermail.txt
  • 0x7c141:$string2: holdermail.txt
  • 0x7c063:$string3: wallet.dat
  • 0x7c07b:$string3: wallet.dat
  • 0x7c091:$string3: wallet.dat
  • 0x7d45f:$string4: Keylog Records
  • 0x7d777:$string4: Keylog Records
  • 0x7d993:$string5: do not script -->
  • 0x7b6df:$string6: \pidloc.txt
  • 0x7b76d:$string7: BSPLIT
  • 0x7b77d:$string7: BSPLIT
00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd90:$hawkstr1: HawkEye Keylogger
        • 0x7cbd1:$hawkstr1: HawkEye Keylogger
        • 0x7cf00:$hawkstr1: HawkEye Keylogger
        • 0x7d05b:$hawkstr1: HawkEye Keylogger
        • 0x7d1be:$hawkstr1: HawkEye Keylogger
        • 0x7d437:$hawkstr1: HawkEye Keylogger
        • 0x7b91e:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf53:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0aa:$hawkstr2: Dear HawkEye Customers!
        • 0x7d211:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba3f:$hawkstr3: HawkEye Logger Details:
        Click to see the 22 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          7.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            8.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              8.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                3.2.NDt93WWQwd089H7.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                • 0x7b8f7:$key: HawkEyeKeylogger
                • 0x7db3b:$salt: 099u787978786
                • 0x7bf38:$string1: HawkEye_Keylogger
                • 0x7cd8b:$string1: HawkEye_Keylogger
                • 0x7da9b:$string1: HawkEye_Keylogger
                • 0x7c321:$string2: holdermail.txt
                • 0x7c341:$string2: holdermail.txt
                • 0x7c263:$string3: wallet.dat
                • 0x7c27b:$string3: wallet.dat
                • 0x7c291:$string3: wallet.dat
                • 0x7d65f:$string4: Keylog Records
                • 0x7d977:$string4: Keylog Records
                • 0x7db93:$string5: do not script -->
                • 0x7b8df:$string6: \pidloc.txt
                • 0x7b96d:$string7: BSPLIT
                • 0x7b97d:$string7: BSPLIT
                Click to see the 4 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\etUpjEKgKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp7AE9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\etUpjEKgKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp7AE9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NDt93WWQwd089H7.exe' , ParentImage: C:\Users\user\Desktop\NDt93WWQwd089H7.exe, ParentProcessId: 6980, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\etUpjEKgKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp7AE9.tmp', ProcessId: 7124

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: vbc.exe.6248.8.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\etUpjEKgKK.exeReversingLabs: Detection: 21%
                Multi AV Scanner detection for submitted fileShow sources
                Source: NDt93WWQwd089H7.exeVirustotal: Detection: 42%Perma Link
                Source: NDt93WWQwd089H7.exeReversingLabs: Detection: 21%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\etUpjEKgKK.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: NDt93WWQwd089H7.exeJoe Sandbox ML: detected
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: NDt93WWQwd089H7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: NDt93WWQwd089H7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: 1<pC:\Windows\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: symbols\dll\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399592617.0000000000E4F000.00000004.00000020.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exe
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbk source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: .pdbh source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbx source: NDt93WWQwd089H7.exe, 00000003.00000002.399592617.0000000000E4F000.00000004.00000020.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exe
                Source: Binary string: mscorlib.pdbQwd089H7.exe source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Users\user\Desktop\NDt93WWQwd089H7.PDB source: NDt93WWQwd089H7.exe, 00000003.00000002.399592617.0000000000E4F000.00000004.00000020.sdmp
                Source: Binary string: rlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbH source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: mscorrc.pdb source: NDt93WWQwd089H7.exe, 00000000.00000002.387340241.0000000007870000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403407323.00000000051C0000.00000002.00000001.sdmp
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,7_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,8_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,8_2_00407E0E
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0301AF88
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then jmp 028D1A73h3_2_028D1A80
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_028DA79F
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then jmp 028D1A73h3_2_028D19A0
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then jmp 028D1A73h3_2_028D19B0
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_028D14C0
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_028D17F8
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_028D0728
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_028D603B
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then mov esp, ebp3_2_028D4830
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]3_2_028D5B70

                Networking:

                barindex
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.391162652.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.391162652.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: unknownDNS traffic detected: queries for: 144.48.8.0.in-addr.arpa
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.400292236.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.400292236.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347562951.0000000005716000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382162931.0000000005710000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com)
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.346033185.000000000572E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/q
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347562951.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersv
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347562951.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347562951.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcommN
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347562951.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd?
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347562951.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdik&
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347562951.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdsedc
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382162931.0000000005710000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionF
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.338177028.000000000574D000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.338297156.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com(
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.338202585.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comp
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.338238361.000000000574D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.coms
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.340769553.0000000005721000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnC
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.340810224.0000000005721000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.340571238.0000000005713000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.340571238.0000000005713000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnegu=
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.340769553.0000000005721000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicr
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.340452276.0000000005713000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv-s
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.342884989.0000000005716000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.343232435.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.342884989.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.343555634.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.343555634.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.343555634.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.343232435.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.343555634.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.343232435.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.342884989.0000000005716000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                Source: vbc.exe, vbc.exe, 00000008.00000002.391162652.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.337989572.000000000171D000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.337989572.000000000171D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.400292236.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.342561437.000000000572B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnt
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.342633757.000000000572B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347700147.0000000005722000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000000.00000003.345535992.000000000572E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.345819766.000000000572E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de4
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.347700147.0000000005722000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de:
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.382306744.00000000058A0000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.345535992.000000000572E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.345602390.000000000572E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dett
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.341937780.000000000571E000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403713675.0000000005550000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: NDt93WWQwd089H7.exe, 00000000.00000003.341937780.000000000571E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnse
                Source: vbc.exe, 00000008.00000003.390845966.000000000212C000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activi
                Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.400292236.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: NDt93WWQwd089H7.exe PID: 6980, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: NDt93WWQwd089H7.exe PID: 3548, type: MEMORY
                Source: Yara matchFile source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\NDt93WWQwd089H7.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,7_2_0040AC8A
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.400292236.0000000002D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000003.00000002.400292236.0000000002D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_04F558C6 NtResumeThread,3_2_04F558C6
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_04F5581E NtQuerySystemInformation,3_2_04F5581E
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_04F5596E NtWriteVirtualMemory,3_2_04F5596E
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_04F557DA NtQuerySystemInformation,3_2_04F557DA
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_04F55941 NtWriteVirtualMemory,3_2_04F55941
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,8_2_00408836
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301B7780_2_0301B778
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301F5840_2_0301F584
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301AF880_2_0301AF88
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301DA800_2_0301DA80
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301E2E00_2_0301E2E0
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301DB400_2_0301DB40
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301B4C10_2_0301B4C1
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301B4D00_2_0301B4D0
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301E2D00_2_0301E2D0
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_06FC80010_2_06FC8001
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_06FC7B820_2_06FC7B82
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_03013B3F0_2_03013B3F
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_030109410_2_03010941
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_030109500_2_03010950
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_03013B500_2_03013B50
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_028D87103_2_028D8710
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_028D60483_2_028D6048
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_028D57583_2_028D5758
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_028D70883_2_028D7088
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_028D70983_2_028D7098
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_028D1D983_2_028D1D98
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404DDB7_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040BD8A7_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404E4C7_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404EBD7_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404F4E7_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004044198_2_00404419
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004045168_2_00404516
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004135388_2_00413538
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004145A18_2_004145A1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0040E6398_2_0040E639
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004337AF8_2_004337AF
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_004399B18_2_004399B1
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_0043DAE78_2_0043DAE7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00405CF68_2_00405CF6
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00403F858_2_00403F85
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411F998_2_00411F99
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2136
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.387340241.0000000007870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.377690697.000000000346D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.387213472.0000000007810000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.387213472.0000000007810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.387544035.00000000078D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.387141650.00000000077B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.403407323.00000000051C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exe, 00000003.00000002.404724329.0000000006790000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs NDt93WWQwd089H7.exe
                Source: NDt93WWQwd089H7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.400292236.0000000002D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000003.00000002.400292236.0000000002D61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: NDt93WWQwd089H7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: etUpjEKgKK.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@12/9@2/2
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,8_2_00415AFD
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_04F54E52 AdjustTokenPrivileges,3_2_04F54E52
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 3_2_04F54E1B AdjustTokenPrivileges,3_2_04F54E1B
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,8_2_00415F87
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,8_2_00411196
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,7_2_0040ED0B
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile created: C:\Users\user\AppData\Roaming\etUpjEKgKK.exeJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7AE9.tmpJump to behavior
                Source: NDt93WWQwd089H7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000008.00000002.391162652.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: NDt93WWQwd089H7.exeVirustotal: Detection: 42%
                Source: NDt93WWQwd089H7.exeReversingLabs: Detection: 21%
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile read: C:\Users\user\Desktop\NDt93WWQwd089H7.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\NDt93WWQwd089H7.exe 'C:\Users\user\Desktop\NDt93WWQwd089H7.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\etUpjEKgKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp7AE9.tmp'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\Desktop\NDt93WWQwd089H7.exe {path}
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2136
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\etUpjEKgKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp7AE9.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeProcess created: C:\Users\user\Desktop\NDt93WWQwd089H7.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2136Jump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: NDt93WWQwd089H7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: NDt93WWQwd089H7.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: NDt93WWQwd089H7.exeStatic file information: File size 1321984 > 1048576
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: NDt93WWQwd089H7.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13de00
                Source: NDt93WWQwd089H7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: 1<pC:\Windows\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: symbols\dll\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399592617.0000000000E4F000.00000004.00000020.sdmp
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exe
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\mscorlib.pdbk source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: .pdbh source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: C:\Windows\dll\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbx source: NDt93WWQwd089H7.exe, 00000003.00000002.399592617.0000000000E4F000.00000004.00000020.sdmp
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: NDt93WWQwd089H7.exe, 00000000.00000002.381513647.00000000047E8000.00000004.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.398869541.0000000000402000.00000040.00000001.sdmp, vbc.exe
                Source: Binary string: mscorlib.pdbQwd089H7.exe source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: \??\C:\Users\user\Desktop\NDt93WWQwd089H7.PDB source: NDt93WWQwd089H7.exe, 00000003.00000002.399592617.0000000000E4F000.00000004.00000020.sdmp
                Source: Binary string: rlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: NDt93WWQwd089H7.exe, 00000003.00000002.399817254.00000000028E7000.00000004.00000040.sdmp
                Source: Binary string: mscorlib.pdbH source: NDt93WWQwd089H7.exe, 00000003.00000002.406508381.0000000007689000.00000004.00000010.sdmp
                Source: Binary string: mscorrc.pdb source: NDt93WWQwd089H7.exe, 00000000.00000002.387340241.0000000007870000.00000002.00000001.sdmp, NDt93WWQwd089H7.exe, 00000003.00000002.403407323.00000000051C0000.00000002.00000001.sdmp

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: NDt93WWQwd089H7.exe, ??cWIQZ?tjv?/pNBh??Q?f.cs.Net Code: ?Iap?V?F? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: etUpjEKgKK.exe.0.dr, ??cWIQZ?tjv?/pNBh??Q?f.cs.Net Code: ?Iap?V?F? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.NDt93WWQwd089H7.exe.b60000.0.unpack, ??cWIQZ?tjv?/pNBh??Q?f.cs.Net Code: ?Iap?V?F? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.NDt93WWQwd089H7.exe.b60000.0.unpack, ??cWIQZ?tjv?/pNBh??Q?f.cs.Net Code: ?Iap?V?F? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.NDt93WWQwd089H7.exe.5d0000.1.unpack, ??cWIQZ?tjv?/pNBh??Q?f.cs.Net Code: ?Iap?V?F? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.2.NDt93WWQwd089H7.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 3.0.NDt93WWQwd089H7.exe.5d0000.0.unpack, ??cWIQZ?tjv?/pNBh??Q?f.cs.Net Code: ?Iap?V?F? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,7_2_00403C3D
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeCode function: 0_2_0301C928 push eax; iretd 0_2_0301C929
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411879 push ecx; ret 7_2_00411889
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004118A0 push eax; ret 7_2_004118B4
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004118A0 push eax; ret 7_2_004118DC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442871 push ecx; ret 8_2_00442881
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret 8_2_00442AA4
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00442A90 push eax; ret 8_2_00442ACC
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 8_2_00446E54 push eax; ret 8_2_00446E61
                Source: initial sampleStatic PE information: section name: .text entropy: 7.82936221614
                Source: initial sampleStatic PE information: section name: .text entropy: 7.82936221614
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeFile created: C:\Users\user\AppData\Roaming\etUpjEKgKK.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\etUpjEKgKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp7AE9.tmp'

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Changes the view of files in windows explorer (hidden files and folders)Show sources
                Source: C:\Users\user\Desktop\NDt93WWQwd089H7.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,Get