Loading ...

Play interactive tourEdit tour

Analysis Report hkaP5RPCGNDVq3Z.exe

Overview

General Information

Sample Name:hkaP5RPCGNDVq3Z.exe
Analysis ID:339931
MD5:07556e1af1f43f7dd42d32d188187e4a
SHA1:42110c04869726694a2537e05f987039cd829ac0
SHA256:a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
Tags:exeHawkEye

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • hkaP5RPCGNDVq3Z.exe (PID: 5552 cmdline: 'C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe' MD5: 07556E1AF1F43F7DD42D32D188187E4A)
    • schtasks.exe (PID: 1560 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • hkaP5RPCGNDVq3Z.exe (PID: 5908 cmdline: {path} MD5: 07556E1AF1F43F7DD42D32D188187E4A)
      • LOGO AND PICTURES.exe (PID: 5872 cmdline: 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0 MD5: D9001138C5119D936B70BF77E136AFBE)
        • netsh.exe (PID: 6400 cmdline: 'netsh' wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • conhost.exe (PID: 6396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Pictures.exe (PID: 5868 cmdline: 'C:\Users\user\AppData\Local\Temp\Pictures.exe' 0 MD5: 25146E9C5ECD498DD17BA01E6CFAEB24)
        • dw20.exe (PID: 6348 cmdline: dw20.exe -x -s 2100 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • PO456724392021.exe (PID: 2208 cmdline: 'C:\Users\user\AppData\Local\Temp\PO456724392021.exe' 0 MD5: F38E2D474C075EFF35B4EF81FDACA650)
      • PO2345714382021.exe (PID: 5880 cmdline: 'C:\Users\user\AppData\Local\Temp\PO2345714382021.exe' 0 MD5: 9B79DE8E3AD21F14E71E55CFA6AE4727)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Threatname: Agenttesla

{"Username: ": "VjouxsS", "URL: ": "http://YfWA3aJjc76ztEimE.com", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5876", "Password: ": "Nd6zB", "From: ": "sales01@seedwellresources.xyz"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\PO2345714382021.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeJoeSecurity_MatiexYara detected Matiex KeyloggerJoe Security
      C:\Users\user\AppData\Local\Temp\Pictures.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b8f7:$key: HawkEyeKeylogger
      • 0x7db3b:$salt: 099u787978786
      • 0x7bf38:$string1: HawkEye_Keylogger
      • 0x7cd8b:$string1: HawkEye_Keylogger
      • 0x7da9b:$string1: HawkEye_Keylogger
      • 0x7c321:$string2: holdermail.txt
      • 0x7c341:$string2: holdermail.txt
      • 0x7c263:$string3: wallet.dat
      • 0x7c27b:$string3: wallet.dat
      • 0x7c291:$string3: wallet.dat
      • 0x7d65f:$string4: Keylog Records
      • 0x7d977:$string4: Keylog Records
      • 0x7db93:$string5: do not script -->
      • 0x7b8df:$string6: \pidloc.txt
      • 0x7b96d:$string7: BSPLIT
      • 0x7b97d:$string7: BSPLIT
      C:\Users\user\AppData\Local\Temp\Pictures.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        C:\Users\user\AppData\Local\Temp\Pictures.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 2 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
              • 0x7b6f7:$key: HawkEyeKeylogger
              • 0x7d93b:$salt: 099u787978786
              • 0x7bd38:$string1: HawkEye_Keylogger
              • 0x7cb8b:$string1: HawkEye_Keylogger
              • 0x7d89b:$string1: HawkEye_Keylogger
              • 0x7c121:$string2: holdermail.txt
              • 0x7c141:$string2: holdermail.txt
              • 0x7c063:$string3: wallet.dat
              • 0x7c07b:$string3: wallet.dat
              • 0x7c091:$string3: wallet.dat
              • 0x7d45f:$string4: Keylog Records
              • 0x7d777:$string4: Keylog Records
              • 0x7d993:$string5: do not script -->
              • 0x7b6df:$string6: \pidloc.txt
              • 0x7b76d:$string7: BSPLIT
              • 0x7b77d:$string7: BSPLIT
              00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                  Click to see the 56 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  8.0.PO456724392021.exe.e90000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    8.2.PO456724392021.exe.e90000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      9.0.PO2345714382021.exe.a0000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                        7.0.Pictures.exe.470000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                        • 0x7b8f7:$key: HawkEyeKeylogger
                        • 0x7db3b:$salt: 099u787978786
                        • 0x7bf38:$string1: HawkEye_Keylogger
                        • 0x7cd8b:$string1: HawkEye_Keylogger
                        • 0x7da9b:$string1: HawkEye_Keylogger
                        • 0x7c321:$string2: holdermail.txt
                        • 0x7c341:$string2: holdermail.txt
                        • 0x7c263:$string3: wallet.dat
                        • 0x7c27b:$string3: wallet.dat
                        • 0x7c291:$string3: wallet.dat
                        • 0x7d65f:$string4: Keylog Records
                        • 0x7d977:$string4: Keylog Records
                        • 0x7db93:$string5: do not script -->
                        • 0x7b8df:$string6: \pidloc.txt
                        • 0x7b96d:$string7: BSPLIT
                        • 0x7b97d:$string7: BSPLIT
                        7.0.Pictures.exe.470000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                          Click to see the 15 entries

                          Sigma Overview

                          System Summary:

                          barindex
                          Sigma detected: Capture Wi-Fi passwordShow sources
                          Source: Process startedAuthor: Joe Security: Data: Command: 'netsh' wlan show profile, CommandLine: 'netsh' wlan show profile, CommandLine|base64offset|contains: V, Image: C:\Windows\SysWOW64\netsh.exe, NewProcessName: C:\Windows\SysWOW64\netsh.exe, OriginalFileName: C:\Windows\SysWOW64\netsh.exe, ParentCommandLine: 'C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe' 0, ParentImage: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe, ParentProcessId: 5872, ProcessCommandLine: 'netsh' wlan show profile, ProcessId: 6400
                          Sigma detected: Scheduled temp file as task from temp locationShow sources
                          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe' , ParentImage: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exe, ParentProcessId: 5552, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jcKKBKdU' /XML 'C:\Users\user\AppData\Local\Temp\tmpEED.tmp', ProcessId: 1560

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeAvira: detection malicious, Label: TR/Redcap.jajcu
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeAvira: detection malicious, Label: TR/Spy.Gen8
                          Found malware configurationShow sources
                          Source: hkaP5RPCGNDVq3Z.exe.5908.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                          Source: PO456724392021.exe.2208.8.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "VjouxsS", "URL: ": "http://YfWA3aJjc76ztEimE.com", "To: ": "sales01@seedwellresources.xyz", "ByHost: ": "smtp.privateemail.com:5876", "Password: ": "Nd6zB", "From: ": "sales01@seedwellresources.xyz"}
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeJoe Sandbox ML: detected
                          Source: 7.0.Pictures.exe.470000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 7.0.Pictures.exe.470000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 7.2.Pictures.exe.470000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 7.2.Pictures.exe.470000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpackAvira: Label: TR/Redcap.jajcu
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                          Source: 6.0.LOGO AND PICTURES.exe.880000.0.unpackAvira: Label: TR/Redcap.jajcu
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.3:49732 version: TLS 1.0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277045507.0000000002840000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: 1:pC:\Windows\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbdN source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
                          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: mscorlib.pdbz\AppData\Local\Temp\Pictures.exe source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: \??\C:\Windows\mscorlib.pdbln source: Pictures.exe, 00000007.00000002.284885892.0000000006460000.00000004.00000001.sdmp
                          Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, Pictures.exe.3.dr
                          Source: Binary string: C:\Windows\mscorlib.pdbd source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: Pictures.exe, 00000007.00000002.284902905.0000000006474000.00000004.00000001.sdmp
                          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Pictures.exe, 00000007.00000002.277055255.0000000002847000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdbH source: Pictures.exe, 00000007.00000002.286082316.0000000007AAA000.00000004.00000010.sdmp
                          Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr
                          Source: Binary string: mscorrc.pdb source: Pictures.exe, 00000007.00000002.280912855.0000000004DD0000.00000002.00000001.sdmp
                          Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000000.259667235.0000000000882000.00000002.00020000.sdmp, LOGO AND PICTURES.exe.3.dr
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: [autorun]
                          Source: Pictures.exeBinary or memory string: [autorun]
                          Source: Pictures.exeBinary or memory string: autorun.inf
                          Source: Pictures.exe.3.drBinary or memory string: autorun.inf
                          Source: Pictures.exe.3.drBinary or memory string: [autorun]
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0704DAB0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]7_2_04CB14C0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]7_2_04CB17F8
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then jmp 04CB1A73h7_2_04CB19A0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then jmp 04CB1A73h7_2_04CB19B0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]7_2_04CB5B70
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]7_2_04CB0728
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]7_2_04CB603A
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 4x nop then mov esp, ebp7_2_04CB4830

                          Networking:

                          barindex
                          C2 URLs / IPs found in malware configurationShow sources
                          Source: Malware configuration extractorURLs: http://YfWA3aJjc76ztEimE.com
                          May check the online IP address of the machineShow sources
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: unknownDNS query: name: checkip.dyndns.org
                          Source: global trafficTCP traffic: 192.168.2.3:49739 -> 199.193.7.228:587
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                          Source: global trafficTCP traffic: 192.168.2.3:49739 -> 199.193.7.228:587
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: unknownHTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.3:49732 version: TLS 1.0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0259A09A recv,7_2_0259A09A
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                          Source: Pictures.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: unknownDNS traffic detected: queries for: 169.241.9.0.in-addr.arpa
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: http://YGApDP.com
                          Source: PO456724392021.exe, 00000008.00000002.624703526.00000000035F5000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.624818191.0000000003604000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.624749656.00000000035FB000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.622310400.000000000335F000.00000004.00000001.sdmpString found in binary or memory: http://YfWA3aJjc76ztEimE.com
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367655934.00000000065A3000.00000004.00000001.sdmpString found in binary or memory: http://crl.co
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367607117.00000000065BA000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.619555570.0000000001629000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367635858.0000000006598000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627337909.000000000660B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.432984410.0000000008D31000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, LOGO AND PICTURES.exe, 00000006.00000003.367607117.00000000065BA000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, PO456724392021.exe, 00000008.00000002.619555570.0000000001629000.00000004.00000020.sdmp, Pictures.exe.3.drString found in binary or memory: http://ocsp.comodoca.com0
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367705732.000000000656E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sect
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257858765.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: PO456724392021.exe, 00000008.00000002.624703526.00000000035F5000.00000004.00000001.sdmpString found in binary or memory: http://smtp.privateemail.com
                          Source: Pictures.exe, 00000007.00000002.277841679.0000000002BDD000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
                          Source: Pictures.exeString found in binary or memory: http://whatismyipaddress.com/
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, Pictures.exe, 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, Pictures.exe.3.drString found in binary or memory: http://whatismyipaddress.com/-
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                          Source: Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: Pictures.exe.3.drString found in binary or memory: http://www.nirsoft.net/
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: Pictures.exe, 00000007.00000002.278199316.0000000002C23000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                          Source: Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.276769899.0000000006C52000.00000004.00000001.sdmp, Pictures.exe, 00000007.00000002.281614834.0000000005360000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                          Source: Pictures.exeString found in binary or memory: https://login.yahoo.com/config/login
                          Source: LOGO AND PICTURES.exe, 00000006.00000003.367676497.0000000006550000.00000004.00000001.sdmp, PO456724392021.exe, 00000008.00000002.627273721.00000000065E3000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                          Source: Pictures.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmp, PO456724392021.exe, PO2345714382021.exe, 00000009.00000000.263166408.00000000000A2000.00000002.00020000.sdmp, PO2345714382021.exe.3.drString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                          Source: PO456724392021.exe, 00000008.00000002.622096299.0000000003301000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.278079431.0000000002C06000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: hkaP5RPCGNDVq3Z.exe PID: 5908, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Pictures.exe PID: 5868, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPED
                          Source: Yara matchFile source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPE
                          Contains functionality to log keystrokes (.Net Source)Show sources
                          Source: Pictures.exe.3.dr, Form1.cs.Net Code: HookKeyboard
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Installs a global keyboard hookShow sources
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Pictures.exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\PO456724392021.exe
                          Source: PO456724392021.exe, 00000008.00000002.619065209.000000000159B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                          Source: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeWindow created: window name: CLIPBRDWNDCLASS
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeWindow created: window name: CLIPBRDWNDCLASS

                          System Summary:

                          barindex
                          Malicious sample detected (through community Yara rule)Show sources
                          Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A2C26C0_2_02A2C26C
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A2E6220_2_02A2E622
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A2E6300_2_02A2E630
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_02A245580_2_02A24558
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_0704DAB00_2_0704DAB0
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_0704CAE80_2_0704CAE8
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_0704EC080_2_0704EC08
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 0_2_007421860_2_00742186
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeCode function: 3_2_006821863_2_00682186
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0047D4267_2_0047D426
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0047D5237_2_0047D523
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0048D5AE7_2_0048D5AE
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004876467_2_00487646
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004B29BE7_2_004B29BE
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004B6AF47_2_004B6AF4
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004DABFC7_2_004DABFC
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004D3C4D7_2_004D3C4D
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004D3CBE7_2_004D3CBE
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0047ED037_2_0047ED03
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004D3D2F7_2_004D3D2F
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004D3DC07_2_004D3DC0
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0047CF927_2_0047CF92
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_0048AFA67_2_0048AFA6
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB60487_2_04CB6048
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB57587_2_04CB5758
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB70887_2_04CB7088
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB70987_2_04CB7098
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04CB1D987_2_04CB1D98
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_004AC7BC7_2_004AC7BC
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_00E922968_2_00E92296
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_013094108_2_01309410
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_0130DA118_2_0130DA11
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_0130DE788_2_0130DE78
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_0130F1908_2_0130F190
                          Source: C:\Users\user\AppData\Local\Temp\PO456724392021.exeCode function: 8_2_0130F04D8_2_0130F04D
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe 9AE5EF3FD4FEEA105C1ED3F1E69FD4FA328E8F29F1937097280F7EEE7F8D749E
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\PO2345714382021.exe 56BD25ACDB97CE17F8351B926C48A4F63E348C40F6C5913219B0745D99F6B31D
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Pictures.exe 5207F3D079A52017E7977296C9EBA782D3D5EAE5ADEC94FA38ACDD88C184496D
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: String function: 004BBA9D appears 35 times
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2100
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: jcKKBKdU.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Pictures.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Pictures.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Pictures.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: hkaP5RPCGNDVq3Z.exeBinary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278348508.0000000007640000.00000002.00000001.sdmpBinary or memory string: originalfilename vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278348508.0000000007640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.279931962.0000000007890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.278131793.00000000075E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.257933457.0000000002C8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000000.00000002.280157361.0000000007900000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exeBinary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.256136322.0000000003390000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameqSFGwNyTRHxXnFNQmReMEDLopGXKYkP.exed" vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263995429.0000000003AEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaVGHPRrbHbSzmBgNIxPPIWutzHpjQGUX.exe4 vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000003.263264151.0000000003A81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBehbBNmlFodyWDcOLIcGKBGvXeAtKtoPsNVNJ.exe4 vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266564778.0000000002A90000.00000002.00000001.sdmpBinary or memory string: originalfilename vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266564778.0000000002A90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.266387872.0000000002A30000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exe, 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs hkaP5RPCGNDVq3Z.exe
                          Source: hkaP5RPCGNDVq3Z.exeBinary or memory string: OriginalFilename vs hkaP5RPCGNDVq3Z.exe
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeSection loaded: security.dll
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000007.00000002.275743859.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000007.00000002.278048852.0000000002C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000000.00000002.260712267.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000007.00000002.277723292.0000000002B91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000007.00000000.260883929.0000000000472000.00000002.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000000.00000002.265891153.00000000041F6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000003.00000002.264651152.0000000000403000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 7.0.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 7.2.Pictures.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 3.2.hkaP5RPCGNDVq3Z.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: hkaP5RPCGNDVq3Z.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: jcKKBKdU.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: Pictures.exe.3.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Pictures.exe.3.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Pictures.exe.3.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Pictures.exe.3.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                          Source: Pictures.exe.3.dr, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 7.0.Pictures.exe.470000.0.unpack, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 7.2.Pictures.exe.470000.0.unpack, Form1.csBase64 encoded string: 'jLDFXdPp/aSqMg8c6nmqYAnMHqu4RKPQmOX0IzUJgPUsVuhoSdvgoW9ev7/V5wH4fXvuYswWQ/LZ+ye1hqPRZw==', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/12@38/5
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04D34E52 AdjustTokenPrivileges,7_2_04D34E52
                          Source: C:\Users\user\AppData\Local\Temp\Pictures.exeCode function: 7_2_04D34E1B AdjustTokenPrivileges,7_2_04D34E1B
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeFile created: C:\Users\user\AppData\Roaming\jcKKBKdU.exeJump to behavior
                          Source: C:\Users\user\Desktop\hkaP5RPCGNDVq3Z.exeMutant created: \Sessions\1\BaseNamedObjects\yjyyHtOeJEQCUOCiFqHAwaA
                          Source: C:\Users\user\AppData\Local\Temp\PO2345714382021.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_01
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01
                          Source: C:\U