Loading ...

Play interactive tourEdit tour

Analysis Report B6LNCKjOGt5EmFQ.exe

Overview

General Information

Sample Name:B6LNCKjOGt5EmFQ.exe
Analysis ID:339499
MD5:80d255a6a5ec339e15d6fec3c0fef666
SHA1:bca665ff5a6a7084df2d424c0ed7fff3e141acbc
SHA256:3e48d983e3315501931c646f896a8189637f5b9d21c453b051cd17f2584ee3c4
Tags:exeYahoo

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • B6LNCKjOGt5EmFQ.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe' MD5: 80D255A6A5EC339E15D6FEC3C0FEF666)
    • schtasks.exe (PID: 4812 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TcVfsyyjYuQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • B6LNCKjOGt5EmFQ.exe (PID: 5336 cmdline: {path} MD5: 80D255A6A5EC339E15D6FEC3C0FEF666)
      • LOGO AND PICTURES.exe (PID: 6208 cmdline: 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0 MD5: D9001138C5119D936B70BF77E136AFBE)
        • netsh.exe (PID: 6184 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Pictures.exe (PID: 6240 cmdline: 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0 MD5: 25146E9C5ECD498DD17BA01E6CFAEB24)
        • dw20.exe (PID: 6740 cmdline: dw20.exe -x -s 2184 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
        • vbc.exe (PID: 6836 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • vbc.exe (PID: 6848 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • PO456724392021.exe (PID: 6292 cmdline: 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0 MD5: F38E2D474C075EFF35B4EF81FDACA650)
      • PO2345714382021.exe (PID: 6488 cmdline: 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0 MD5: 9B79DE8E3AD21F14E71E55CFA6AE4727)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: Agenttesla

{"Username: ": "", "URL: ": "", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5874", "Password: ": "", "From: ": "sales01@seedwellresources.xyz"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\PO456724392021.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\PO2345714382021.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
        C:\Users\user\AppData\Local\Temp\Pictures.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8f7:$key: HawkEyeKeylogger
        • 0x7db3b:$salt: 099u787978786
        • 0x7bf38:$string1: HawkEye_Keylogger
        • 0x7cd8b:$string1: HawkEye_Keylogger
        • 0x7da9b:$string1: HawkEye_Keylogger
        • 0x7c321:$string2: holdermail.txt
        • 0x7c341:$string2: holdermail.txt
        • 0x7c263:$string3: wallet.dat
        • 0x7c27b:$string3: wallet.dat
        • 0x7c291:$string3: wallet.dat
        • 0x7d65f:$string4: Keylog Records
        • 0x7d977:$string4: Keylog Records
        • 0x7db93:$string5: do not script -->
        • 0x7b8df:$string6: \pidloc.txt
        • 0x7b96d:$string7: BSPLIT
        • 0x7b97d:$string7: BSPLIT
        C:\Users\user\AppData\Local\Temp\Pictures.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          Click to see the 3 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000008.00000003.291239624.0000000004451000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000014.00000002.308380033.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  00000008.00000003.283351079.000000000134C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 66 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    12.0.PO456724392021.exe.ab0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      16.0.PO2345714382021.exe.5d0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                        12.2.PO456724392021.exe.ab0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                          19.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                            10.0.Pictures.exe.150000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                            • 0x7b8f7:$key: HawkEyeKeylogger
                            • 0x7db3b:$salt: 099u787978786
                            • 0x7bf38:$string1: HawkEye_Keylogger
                            • 0x7cd8b:$string1: HawkEye_Keylogger
                            • 0x7da9b:$string1: HawkEye_Keylogger
                            • 0x7c321:$string2: holdermail.txt
                            • 0x7c341:$string2: holdermail.txt
                            • 0x7c263:$string3: wallet.dat
                            • 0x7c27b:$string3: wallet.dat
                            • 0x7c291:$string3: wallet.dat
                            • 0x7d65f:$string4: Keylog Records
                            • 0x7d977:$string4: Keylog Records
                            • 0x7db93:$string5: do not script -->
                            • 0x7b8df:$string6: \pidloc.txt
                            • 0x7b96d:$string7: BSPLIT
                            • 0x7b97d:$string7: BSPLIT
                            Click to see the 20 entries

                            Sigma Overview

                            System Summary:

                            barindex
                            Sigma detected: Capture Wi-Fi passwordShow sources
                            Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0, ParentImage: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, ParentProcessId: 6208, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6184
                            Sigma detected: Scheduled temp file as task from temp locationShow sources
                            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TcVfsyyjYuQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TcVfsyyjYuQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe' , ParentImage: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exe, ParentProcessId: 6076, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\TcVfsyyjYuQ' /XML 'C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp', ProcessId: 4812

                            Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection:

                            barindex
                            Antivirus detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeAvira: detection malicious, Label: TR/Spy.Gen8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeAvira: detection malicious, Label: TR/Redcap.jajcu
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                            Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeAvira: detection malicious, Label: TR/Spy.Gen8
                            Found malware configurationShow sources
                            Source: Pictures.exe.6240.10.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                            Source: LOGO AND PICTURES.exe.6208.9.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5874", "Password: ": "", "From: ": "sales01@seedwellresources.xyz"}
                            Multi AV Scanner detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Roaming\TcVfsyyjYuQ.exeReversingLabs: Detection: 26%
                            Multi AV Scanner detection for submitted fileShow sources
                            Source: B6LNCKjOGt5EmFQ.exeReversingLabs: Detection: 26%
                            Machine Learning detection for dropped fileShow sources
                            Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Roaming\TcVfsyyjYuQ.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeJoe Sandbox ML: detected
                            Machine Learning detection for sampleShow sources
                            Source: B6LNCKjOGt5EmFQ.exeJoe Sandbox ML: detected
                            Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                            Source: 10.0.Pictures.exe.150000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 10.0.Pictures.exe.150000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 10.2.Pictures.exe.150000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                            Source: 10.2.Pictures.exe.150000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                            Source: 9.0.LOGO AND PICTURES.exe.db0000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: 9.2.LOGO AND PICTURES.exe.db0000.0.unpackAvira: Label: TR/Redcap.jajcu
                            Source: B6LNCKjOGt5EmFQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                            Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49739 version: TLS 1.0
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                            Source: B6LNCKjOGt5EmFQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                            Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 0000000A.00000002.325931485.000000000093D000.00000004.00000020.sdmp
                            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
                            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
                            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, Pictures.exe
                            Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, LOGO AND PICTURES.exe
                            Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000002.604546258.0000000000DB2000.00000002.00020000.sdmp
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: [autorun]
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpBinary or memory string: [autorun]
                            Source: Pictures.exeBinary or memory string: autorun.inf
                            Source: Pictures.exeBinary or memory string: [autorun]
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_00C914C0
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_00C917F8
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_00C90728
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then mov esp, ebp10_2_00C94830
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then jmp 00C91A73h10_2_00C919A0
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then jmp 00C91A73h10_2_00C919B0
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_00C95B70

                            Networking:

                            barindex
                            May check the online IP address of the machineShow sources
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: whatismyipaddress.com
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: unknownDNS query: name: checkip.dyndns.org
                            Source: global trafficTCP traffic: 192.168.2.3:49738 -> 199.193.7.228:587
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                            Source: Joe Sandbox ViewIP Address: 131.186.161.70 131.186.161.70
                            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                            Source: global trafficTCP traffic: 192.168.2.3:49738 -> 199.193.7.228:587
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49739 version: TLS 1.0
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                            Source: Pictures.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                            Source: unknownDNS traffic detected: queries for: 94.197.2.0.in-addr.arpa
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.459012991.0000000006ADF000.00000004.00000001.sdmpString found in binary or memory: http://crl.usertrusts
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.583245849.00000000092C1000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.583245849.00000000092C1000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.583245849.00000000092C1000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.280326164.0000000003651000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.614076620.000000000348A000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
                            Source: Pictures.exeString found in binary or memory: http://whatismyipaddress.com/
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000003.226742441.0000000001CAB000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, Pictures.exeString found in binary or memory: http://www.nirsoft.net/
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.312118405.0000000006640000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611704602.0000000003299000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611704602.0000000003299000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611704602.0000000003299000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/84.17.52.74
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611647538.0000000003261000.00000004.00000001.sdmpString found in binary or memory: https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26
                            Source: Pictures.exeString found in binary or memory: https://login.yahoo.com/config/login
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000009.00000002.611791578.00000000032B4000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                            Source: LOGO AND PICTURES.exe, 00000009.00000003.425343136.0000000006AAC000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.609664238.00000000015DB000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmpString found in binary or memory: https://www.geodatatool.com/en/?ip=
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.615373407.0000000003515000.00000004.00000001.sdmpString found in binary or memory: https://www.geodatatool.com/en/?ip=3D84.17.52.74=0D=0A=
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.612629984.00000000033B7000.00000004.00000001.sdmpString found in binary or memory: https://www.geodatatool.com/en/?ip=3D84.17.52.74=0D=0A=0D=0ADat=
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.611843586.00000000032C9000.00000004.00000001.sdmpString found in binary or memory: https://www.geodatatool.com/en/?ip=84.17.52.74
                            Source: Pictures.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, B6LNCKjOGt5EmFQ.exe, 00000008.00000003.291239624.0000000004451000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

                            Key, Mouse, Clipboard, Microphone and Screen Capturing:

                            barindex
                            Yara detected HawkEye KeyloggerShow sources
                            Source: Yara matchFile source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.327595878.000000000295F000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 6240, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 6076, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: B6LNCKjOGt5EmFQ.exe PID: 5336, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
                            Source: Yara matchFile source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPE
                            Contains functionality to log keystrokes (.Net Source)Show sources
                            Source: Pictures.exe.8.dr, Form1.cs.Net Code: HookKeyboard
                            Source: 10.0.Pictures.exe.150000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Source: 10.2.Pictures.exe.150000.0.unpack, Form1.cs.Net Code: HookKeyboard
                            Installs a global keyboard hookShow sources
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Pictures.exeJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\PO456724392021.exe
                            Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\PO2345714382021.exe
                            Source: LOGO AND PICTURES.exe, 00000009.00000002.608636145.000000000151B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWindow created: window name: CLIPBRDWNDCLASS
                            Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWindow created: window name: CLIPBRDWNDCLASS

                            System Summary:

                            barindex
                            Malicious sample detected (through community Yara rule)Show sources
                            Source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000000A.00000002.323788934.0000000000152000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 0000000A.00000000.282912644.0000000000152000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 0000000A.00000002.327595878.000000000295F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 10.0.Pictures.exe.150000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 10.2.Pictures.exe.150000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                            Source: 8.2.B6LNCKjOGt5EmFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                            .NET source code contains very large array initializationsShow sources
                            Source: 16.0.PO2345714382021.exe.5d0000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8E6E7EF7u002dAC19u002d4F3Fu002d8489u002d4F7AD84D7DAFu007d/E4F05C4Eu002d2007u002d4C5Fu002dB313u002d78ABE577C964.csLarge array initialization: .cctor: array initializer size 11976
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_04A254E6 NtResumeThread,10_2_04A254E6
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_04A2543E NtQuerySystemInformation,10_2_04A2543E
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_04A2558E NtWriteVirtualMemory,10_2_04A2558E
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_04A253FA NtQuerySystemInformation,10_2_04A253FA
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_04A25561 NtWriteVirtualMemory,10_2_04A25561
                            Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exeCode function: 0_2_01C5C4CC0_2_01C5C4CC
                            Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exeCode function: 0_2_01C5E4630_2_01C5E463
                            Source: C:\Users\user\Desktop\B6LNCKjOGt5EmFQ.exeCode function: 0_2_01C5E4700_2_01C5E470
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_013597549_2_01359754
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0135A3B89_2_0135A3B8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0135A3A99_2_0135A3A9
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0135A3809_2_0135A380
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030CF22A9_2_030CF22A
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030CD1D89_2_030CD1D8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030C05809_2_030C0580
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030CDAA89_2_030CDAA8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030CCE909_2_030CCE90
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030C10F89_2_030C10F8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030C16189_2_030C1618
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030C0BE09_2_030C0BE0
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_030C8A389_2_030C8A38
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_032183A09_2_032183A0
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_032141E89_2_032141E8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321E0209_2_0321E020
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321F7D89_2_0321F7D8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_032166E09_2_032166E0
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_03217A989_2_03217A98
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321E8089_2_0321E808
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_032178A89_2_032178A8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321EFF09_2_0321EFF0
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_03211C309_2_03211C30
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_032183909_2_03218390
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_032141D89_2_032141D8
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321E0119_2_0321E011
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321E01E9_2_0321E01E
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321F7789_2_0321F778
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321E7A79_2_0321E7A7
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_032166D09_2_032166D0
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_032166DE9_2_032166DE
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_03215F389_2_03215F38
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_0321EFE99_2_0321EFE9
                            Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeCode function: 9_2_00DB73C09_2_00DB73C0
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_0015D42610_2_0015D426
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_0015D52310_2_0015D523
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_0016D5AE10_2_0016D5AE
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_0016764610_2_00167646
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_001929BE10_2_001929BE
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_00196AF410_2_00196AF4
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_001BABFC10_2_001BABFC
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_001B3C4D10_2_001B3C4D
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_001B3CBE10_2_001B3CBE
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_0015ED0310_2_0015ED03
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_001B3D2F10_2_001B3D2F
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_001B3DC010_2_001B3DC0
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_0015CF9210_2_0015CF92
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_0016AFA610_2_0016AFA6
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_00C9604810_2_00C96048
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_00C9575810_2_00C95758
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_00C9871010_2_00C98710
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_00C91DA810_2_00C91DA8
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_00C9708810_2_00C97088
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_00C9709810_2_00C97098
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 10_2_0018C7BC10_2_0018C7BC
                            Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: String function: 0019BA9D appears 35 times
                            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2184
                            Source: Pictures.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: Pictures.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: Pictures.exe.8.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.314008888.0000000008070000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.315076330.0000000008220000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameqSFGwNyTRHxXnFNQmReMEDLopGXKYkP.exed" vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBehbBNmlFodyWDcOLIcGKBGvXeAtKtoPsNVNJ.exe4 vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaVGHPRrbHbSzmBgNIxPPIWutzHpjQGUX.exe4 vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.293576161.0000000004C48000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.314382538.00000000080D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000000.00000002.314382538.00000000080D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.291239624.0000000004451000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaVGHPRrbHbSzmBgNIxPPIWutzHpjQGUX.exe4 vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.281411863.0000000004450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000002.300376997.0000000003850000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameqSFGwNyTRHxXnFNQmReMEDLopGXKYkP.exed" vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000003.277852049.0000000003760000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBehbBNmlFodyWDcOLIcGKBGvXeAtKtoPsNVNJ.exe4 vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000002.300352400.0000000003720000.00000002.00000001.sdmpBinary or memory string: originalfilename vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000002.300352400.0000000003720000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs B6LNCKjOGt5EmFQ.exe
                            Source: B6LNCKjOGt5EmFQ.exe, 00000008.00000002.298778649.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXP