Play interactive tour

Edit tour

Analysis Report POinv00393.exe

Overview

General Information

Sample Name:	POinv00393.exe
Analysis ID:	346695
MD5:	e0db9d12220a5099bd1ebfefc0ccdcfe
SHA1:	b0af96f187273082687f2c58faca71b837876429
SHA256:	09969e8d7af6e0c3ef34c344fe378dd23b6f93abcda793c052e36d1777c35ce7
Tags:	exeHawkEye
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell adding suspicious path to exclusion list

Yara detected AntiVM_3

Yara detected HawkEye Keylogger

Yara detected MailPassView

Adds a directory exclusion to Windows Defender

Changes the view of files in windows explorer (hidden files and folders)

Connects to a pastebin service (likely for C&C)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Drops PE files to the startup folder

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Yara detected WebBrowserPassView password recovery tool

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Startup

System is w10x64

POinv00393.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

powershell.exe (PID: 6892 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6916 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6980 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 7080 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

POinv00393.exe (PID: 2100 cmdline: C:\Users\user\Desktop\POinv00393.exe MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

WerFault.exe (PID: 5556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

POinv00393.exe (PID: 6464 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

POinv00393.exe (PID: 5436 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

POinv00393.exe (PID: 2296 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

POinv00393.exe (PID: 1784 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

POinv00393.exe (PID: 5404 cmdline: 'C:\Users\user\Desktop\POinv00393.exe' MD5: E0DB9D12220A5099BD1EBFEFC0CCDCFE)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x12ce0:$key: HawkEyeKeylogger 0x14f2c:$salt: 099u787978786 0x13347:$string1: HawkEye_Keylogger 0x1419a:$string1: HawkEye_Keylogger 0x14e8c:$string1: HawkEye_Keylogger 0x13730:$string2: holdermail.txt 0x13750:$string2: holdermail.txt 0x13672:$string3: wallet.dat 0x1368a:$string3: wallet.dat 0x136a0:$string3: wallet.dat 0x14a6e:$string4: Keylog Records 0x14d86:$string4: Keylog Records 0x14f84:$string5: do not script --> 0x12cc8:$string6: \pidloc.txt 0x12d3e:$string7: BSPLIT 0x12d4e:$string7: BSPLIT
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1339f:$hawkstr1: HawkEye Keylogger 0x141e0:$hawkstr1: HawkEye Keylogger 0x1450f:$hawkstr1: HawkEye Keylogger 0x1466a:$hawkstr1: HawkEye Keylogger 0x147cd:$hawkstr1: HawkEye Keylogger 0x14a46:$hawkstr1: HawkEye Keylogger 0x12f11:$hawkstr2: Dear HawkEye Customers! 0x14562:$hawkstr2: Dear HawkEye Customers! 0x146b9:$hawkstr2: Dear HawkEye Customers! 0x14820:$hawkstr2: Dear HawkEye Customers! 0x13032:$hawkstr3: HawkEye Logger Details:
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7be38:$key: HawkEyeKeylogger 0xfe258:$key: HawkEyeKeylogger 0x180478:$key: HawkEyeKeylogger 0x7e084:$salt: 099u787978786 0x1004a4:$salt: 099u787978786 0x1826c4:$salt: 099u787978786 0x7c49f:$string1: HawkEye_Keylogger 0x7d2f2:$string1: HawkEye_Keylogger 0x7dfe4:$string1: HawkEye_Keylogger 0xfe8bf:$string1: HawkEye_Keylogger 0xff712:$string1: HawkEye_Keylogger 0x100404:$string1: HawkEye_Keylogger 0x180adf:$string1: HawkEye_Keylogger 0x181932:$string1: HawkEye_Keylogger 0x182624:$string1: HawkEye_Keylogger 0x7c888:$string2: holdermail.txt 0x7c8a8:$string2: holdermail.txt 0xfeca8:$string2: holdermail.txt 0xfecc8:$string2: holdermail.txt 0x180ec8:$string2: holdermail.txt 0x180ee8:$string2: holdermail.txt
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c4f7:$hawkstr1: HawkEye Keylogger 0x7d338:$hawkstr1: HawkEye Keylogger 0x7d667:$hawkstr1: HawkEye Keylogger 0x7d7c2:$hawkstr1: HawkEye Keylogger 0x7d925:$hawkstr1: HawkEye Keylogger 0x7db9e:$hawkstr1: HawkEye Keylogger 0xfe917:$hawkstr1: HawkEye Keylogger 0xff758:$hawkstr1: HawkEye Keylogger 0xffa87:$hawkstr1: HawkEye Keylogger 0xffbe2:$hawkstr1: HawkEye Keylogger 0xffd45:$hawkstr1: HawkEye Keylogger 0xfffbe:$hawkstr1: HawkEye Keylogger 0x180b37:$hawkstr1: HawkEye Keylogger 0x181978:$hawkstr1: HawkEye Keylogger 0x181ca7:$hawkstr1: HawkEye Keylogger 0x181e02:$hawkstr1: HawkEye Keylogger 0x181f65:$hawkstr1: HawkEye Keylogger 0x1821de:$hawkstr1: HawkEye Keylogger 0x7c069:$hawkstr2: Dear HawkEye Customers! 0x7d6ba:$hawkstr2: Dear HawkEye Customers! 0x7d811:$hawkstr2: Dear HawkEye Customers!
Process Memory Space: POinv00393.exe PID: 6708	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: POinv00393.exe PID: 6708	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: POinv00393.exe PID: 6708	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: POinv00393.exe PID: 6708	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WerFault.exe PID: 5556	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: Powershell adding suspicious path to exclusion list

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\POinv00393.exe' , ParentImage: C:\Users\user\Desktop\POinv00393.exe, ParentProcessId: 6708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force, ProcessId: 6892

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: WerFault.exe.5556.34.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

ReversingLabs: Detection: 17%

Multi AV Scanner detection for submitted file

Show sources

Source: POinv00393.exe	Virustotal: Detection: 34%			Perma Link
Source: POinv00393.exe	ReversingLabs: Detection: 17%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: POinv00393.exe

Joe Sandbox ML: detected

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49742 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49749 version: TLS 1.0

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: POinv00393.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: anagement.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.388800534.0000000004A7F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdbj source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdb8 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdbl source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb{ source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb\ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: comctl32.pdbD source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb~ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbV source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbd source: WerFault.exe, 00000022.00000003.461500702.0000000004EFB000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: xecute.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb4 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbz source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbf source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbH source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb. source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdbZ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdbp source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdbd source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb2 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbB source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp

Spreading:

Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	Binary or memory string: [autorun]

Networking:

Connects to a pastebin service (likely for C&C)

Show sources

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 198.54.122.60:587

Source: Joe Sandbox View	IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View	IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic

TCP traffic: 192.168.2.3:49733 -> 198.54.122.60:587

Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49713 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49742 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49746 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49748 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49749 version: TLS 1.0

Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: pastebin.com

Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: powershell.exe, 00000001.00000002.498956817.00000000031E6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncRSACA-2.crl07
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncRSACA-2.crl0L
Source: POinv00393.exe, 00000009.00000003.264750218.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikip
Source: POinv00393.exe, 00000009.00000003.261997834.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikipedia
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.598548034.0000000003377000.00000004.00000020.sdmp	String found in binary or memory: http://schemas.micr
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: powershell.exe, 00000001.00000002.515543086.0000000004D91000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.575272180.0000000004541000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000022.00000003.438033658.0000000005620000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, WerFault.exe, 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.266225699.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: POinv00393.exe, 00000009.00000003.266098249.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: POinv00393.exe, 00000009.00000003.266388252.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comnxa
Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com(
Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com.TTF:
Source: POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.292180727.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289173192.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: POinv00393.exe, 00000009.00000003.291476719.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: POinv00393.exe, 00000009.00000003.291895161.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/o
Source: POinv00393.exe, 00000009.00000003.285625737.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers0
Source: POinv00393.exe, 00000009.00000003.287216804.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: POinv00393.exe, 00000009.00000003.286463158.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers=
Source: POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersr
Source: POinv00393.exe, 00000009.00000003.293691579.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerss
Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comI.TTF
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comednxn
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comessed
Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgritaU
Source: POinv00393.exe, 00000009.00000003.332270630.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comion
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comitud
Source: POinv00393.exe, 00000009.00000003.289917470.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitu:
Source: POinv00393.exe, 00000009.00000003.287512906.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueed
Source: POinv00393.exe, 00000009.00000003.285473287.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comy
Source: POinv00393.exe, 00000009.00000003.264142006.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c
Source: POinv00393.exe, 00000009.00000003.264396432.00000000060A5000.00000004.00000001.sdmp, POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: POinv00393.exe, 00000009.00000003.264516630.00000000060A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: POinv00393.exe, 00000009.00000003.263686147.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnOx
Source: POinv00393.exe, 00000009.00000003.263964185.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnl-nO
Source: POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/2
Source: POinv00393.exe, 00000009.00000003.301758986.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/:
Source: POinv00393.exe, 00000009.00000003.314035977.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmWQ
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krF4
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krK
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: POinv00393.exe, 00000009.00000003.276537694.00000000060A5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/sl-s
Source: POinv00393.exe, 00000009.00000003.279036621.00000000060A8000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/y
Source: POinv00393.exe, 00000009.00000003.304428786.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: POinv00393.exe, 00000009.00000003.300240186.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.X
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: POinv00393.exe, 00000009.00000003.281094175.00000000060A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: POinv00393.exe, 00000009.00000003.263201663.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.cQ
Source: POinv00393.exe, 00000009.00000003.262220149.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krW
Source: POinv00393.exe, 00000009.00000003.262560956.00000000060AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: POinv00393.exe, 00000009.00000003.269856466.00000000060A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: POinv00393.exe, 00000009.00000003.295228473.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: POinv00393.exe, 00000009.00000003.284582010.00000000060AA000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.del
Source: POinv00393.exe, 00000009.00000003.265749682.00000000060A7000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000001.00000002.522372632.0000000004ED2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.416731741.00000000076A0000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.595455706.0000000004680000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: POinv00393.exe, 00000000.00000002.256248196.00000000018D4000.00000004.00000020.sdmp, POinv00393.exe, 0000001F.00000002.612579992.00000000012E2000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: POinv00393.exe PID: 6708, type: MEMORY
Source: Yara match	File source: Process Memory Space: WerFault.exe PID: 5556, type: MEMORY

Installs a global keyboard hook

Show sources

Source: C:\Users\user\Desktop\POinv00393.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\POinv00393.exe

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C88251	0_2_01C88251
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 0_2_01C87AEB	0_2_01C87AEB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAA3D8	1_2_02DAA3D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAF3D7	1_2_02DAF3D7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAE66B	1_2_02DAE66B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAA960	1_2_02DAA960
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA7FE0	1_2_02DA7FE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA6C30	1_2_02DA6C30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA51C8	1_2_02DA51C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA51B7	1_2_02DA51B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAA3D8	1_2_02DAA3D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAF3D7	1_2_02DAF3D7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DAC560	1_2_02DAC560
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DA8810	1_2_02DA8810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DC0040	1_2_02DC0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D2B48	1_2_032D2B48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032DDEB8	1_2_032DDEB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D5ED0	1_2_032D5ED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032DA320	1_2_032DA320
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D1A50	1_2_032D1A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D9818	1_2_032D9818
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D0040	1_2_032D0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032D67E8	1_2_032D67E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032DA618	1_2_032DA618
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_032DD420	1_2_032DD420
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_02DC865B	1_2_02DC865B
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03111B78	3_2_03111B78
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03113AD0	3_2_03113AD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0316A358	3_2_0316A358
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0316B750	3_2_0316B750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03160EB8	3_2_03160EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03167EB8	3_2_03167EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03160040	3_2_03160040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03167EB8	3_2_03167EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03167EB8	3_2_03167EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_0316AE20	3_2_0316AE20
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03160EB8	3_2_03160EB8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_03166C68	3_2_03166C68
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0095A048	5_2_0095A048
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0095AD89	5_2_0095AD89
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009505D8	5_2_009505D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00956E28	5_2_00956E28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00959A58	5_2_00959A58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009505D8	5_2_009505D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00956E28	5_2_00956E28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00956E28	5_2_00956E28
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0095A740	5_2_0095A740
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00956748	5_2_00956748
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009619E8	5_2_009619E8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00963938	5_2_00963938
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009883E0	5_2_009883E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098F528	5_2_0098F528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098C610	5_2_0098C610
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098A7D8	5_2_0098A7D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00986738	5_2_00986738
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098E810	5_2_0098E810
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098AD60	5_2_0098AD60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009870A0	5_2_009870A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009851C8	5_2_009851C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009851C7	5_2_009851C7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098F528	5_2_0098F528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0098A7D8	5_2_0098A7D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00988C10	5_2_00988C10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_00986C30	5_2_00986C30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009E0040	5_2_009E0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_0438CE38	5_2_0438CE38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_043825D5	5_2_043825D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_04384008	5_2_04384008
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_009E8ADB	5_2_009E8ADB
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 11_2_03518108	11_2_03518108
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 11_2_03517AE8	11_2_03517AE8
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 14_2_01598108	14_2_01598108
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 14_2_01597AE8	14_2_01597AE8
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 21_2_00F28108	21_2_00F28108
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 21_2_00F27AF0	21_2_00F27AF0
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 31_2_01518108	31_2_01518108
Source: C:\Users\user\Desktop\POinv00393.exe	Code function: 31_2_01517AF0	31_2_01517AF0

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940

Source: POinv00393.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: POinv00393.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.335186152.0000000006D20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000000.206073920.0000000000E72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs POinv00393.exe
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedbdc ddb.exe2 vs POinv00393.exe
Source: POinv00393.exe, 00000009.00000000.243465863.0000000000802000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 0000000B.00000000.251187170.0000000000E12000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 0000000E.00000000.268933713.0000000000782000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 00000015.00000002.560738791.0000000000112000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 0000001A.00000002.409137032.00000000053A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs POinv00393.exe
Source: POinv00393.exe, 0000001A.00000002.343340975.000000000186A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs POinv00393.exe
Source: POinv00393.exe, 0000001A.00000000.306230207.0000000000CC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe	Binary or memory string: OriginalFilename vs POinv00393.exe
Source: POinv00393.exe, 0000001F.00000000.325285879.0000000000742000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunFirst.exe8 vs POinv00393.exe
Source: POinv00393.exe, 0000001F.00000002.611727506.00000000012BA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs POinv00393.exe

Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000022.00000003.446565112.00000000051F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@30/27@7/5

Source: C:\Users\user\Desktop\POinv00393.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2100

Source: C:\Users\user\Desktop\POinv00393.exe

File created: C:\Users\user\AppData\Local\Temp\16654f11-3a02-4cab-b1ad-a4500300c0c5

Jump to behavior

Source: POinv00393.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POinv00393.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\POinv00393.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\POinv00393.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\POinv00393.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\POinv00393.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: POinv00393.exe	Virustotal: Detection: 34%
Source: POinv00393.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\POinv00393.exe

File read: C:\Users\user\Desktop\POinv00393.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Users\user\Desktop\POinv00393.exe 'C:\Users\user\Desktop\POinv00393.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1940
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\POinv00393.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: C:\Users\user\Desktop\POinv00393.exe C:\Users\user\Desktop\POinv00393.exe	Jump to behavior
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown
Source: C:\Users\user\Desktop\POinv00393.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\POinv00393.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\POinv00393.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: POinv00393.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: POinv00393.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: POinv00393.exe

Static file information: File size 4552704 > 1048576

Source: POinv00393.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x43dc00

Source: POinv00393.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: anagement.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000022.00000003.388800534.0000000004A7F000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdbj source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: gdiplus.pdb8 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: indows.Forms.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdbl source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb{ source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb\ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: comctl32.pdbD source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc6.pdb~ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdbV source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.ni.pdbd source: WerFault.exe, 00000022.00000003.461500702.0000000004EFB000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: xecute.pdb source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb4 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbz source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: t.VisualBasic.pdb source: WerFault.exe, 00000022.00000003.464462813.000000000508D000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdbf source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbH source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdb. source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wmiutils.pdbZ source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdbp source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: .ni.pdbd source: WerFault.exe, 00000022.00000003.465155833.0000000004EFF000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb2 source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: POinv00393.exe, 00000000.00000002.358061331.000000000744F000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000022.00000003.462512914.000000000508C000.00000004.00000001.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000022.00000003.461277400.0000000004EE1000.00000004.00000001.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: comctl32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdbB source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 00000022.00000002.622349558.00000000052C0000.00000004.00000001.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000022.00000003.463734280.0000000005087000.00000004.00000040.sdmp

Data Obfuscation:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report POinv00393.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: HawkEye

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation: