Loading ...

Play interactive tourEdit tour

Analysis Report K409476485-03032021000.pdf.exe

Overview

General Information

Sample Name:K409476485-03032021000.pdf.exe
Analysis ID:361816
MD5:88ff54784a623dcd43bb8c22491a5398
SHA1:873bb1426e0863be86a1df2d94ab33d8ac340d48
SHA256:93aacab7e09044795808ad1a0256c015271653ab0fe9d62785800c0f19ef1ad8
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • K409476485-03032021000.pdf.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\K409476485-03032021000.pdf.exe' MD5: 88FF54784A623DCD43BB8C22491A5398)
    • K409476485-03032021000.pdf.exe (PID: 7072 cmdline: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe MD5: 88FF54784A623DCD43BB8C22491A5398)
      • vbc.exe (PID: 5752 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6324 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b719:$key: HawkEyeKeylogger
  • 0x7d917:$salt: 099u787978786
  • 0x7bd32:$string1: HawkEye_Keylogger
  • 0x7cb85:$string1: HawkEye_Keylogger
  • 0x7d877:$string1: HawkEye_Keylogger
  • 0x7c11b:$string2: holdermail.txt
  • 0x7c13b:$string2: holdermail.txt
  • 0x7c05d:$string3: wallet.dat
  • 0x7c075:$string3: wallet.dat
  • 0x7c08b:$string3: wallet.dat
  • 0x7d459:$string4: Keylog Records
  • 0x7d771:$string4: Keylog Records
  • 0x7d96f:$string5: do not script -->
  • 0x7b701:$string6: \pidloc.txt
  • 0x7b767:$string7: BSPLIT
  • 0x7b777:$string7: BSPLIT
00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd8a:$hawkstr1: HawkEye Keylogger
        • 0x7cbcb:$hawkstr1: HawkEye Keylogger
        • 0x7cefa:$hawkstr1: HawkEye Keylogger
        • 0x7d055:$hawkstr1: HawkEye Keylogger
        • 0x7d1b8:$hawkstr1: HawkEye Keylogger
        • 0x7d431:$hawkstr1: HawkEye Keylogger
        • 0x7b918:$hawkstr2: Dear HawkEye Customers!
        • 0x7cf4d:$hawkstr2: Dear HawkEye Customers!
        • 0x7d0a4:$hawkstr2: Dear HawkEye Customers!
        • 0x7d20b:$hawkstr2: Dear HawkEye Customers!
        • 0x7ba39:$hawkstr3: HawkEye Logger Details:
        Click to see the 20 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.K409476485-03032021000.pdf.exe.7d30000.11.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        3.2.K409476485-03032021000.pdf.exe.85c0000.12.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        3.2.K409476485-03032021000.pdf.exe.2db0cb4.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        3.2.K409476485-03032021000.pdf.exe.3d79930.8.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          3.2.K409476485-03032021000.pdf.exe.3d79930.8.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 58 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Double ExtensionShow sources
            Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe, CommandLine: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe, NewProcessName: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe, OriginalFileName: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\K409476485-03032021000.pdf.exe' , ParentImage: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe, ParentProcessId: 6960, ProcessCommandLine: C:\Users\user\Desktop\K409476485-03032021000.pdf.exe, ProcessId: 7072

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: K409476485-03032021000.pdf.exe.7072.3.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: K409476485-03032021000.pdf.exeVirustotal: Detection: 37%Perma Link
            Source: K409476485-03032021000.pdf.exeReversingLabs: Detection: 19%
            Machine Learning detection for sampleShow sources
            Source: K409476485-03032021000.pdf.exeJoe Sandbox ML: detected
            Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpackAvira: Label: TR/Inject.vcoldi

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeUnpacked PE file: 1.2.K409476485-03032021000.pdf.exe.260000.0.unpack
            Uses 32bit PE filesShow sources
            Source: K409476485-03032021000.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: K409476485-03032021000.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,6_2_00406EC3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,7_2_00408441
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,7_2_00407E0E
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]1_2_04CA6494
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_04CA6494
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]1_2_04CA64A0
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_04CA64A0
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then xor edx, edx1_2_04CA66EC
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then xor edx, edx1_2_04CA66F8
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]1_2_04CA6BC0
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_04CA6BC0
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]1_2_04CA6BB4
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_04CA6BB4
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_04CA5D78
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_04CA5FBC
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FBFE8A
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then call 0543A6E8h3_2_05FDA45A
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FDA45A
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then call 0543A6E8h3_2_05FD9C10
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FD9C10
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FDA71F
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FD26D9
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FDB123
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FD2835
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FD2B99
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then call 0543A6E8h3_2_05FDA370
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FDA370
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FD326B
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FDAA44
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_05FDB20D
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_080F0326
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]3_2_080F018F

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.6:49730 -> 103.27.200.199:21
            Source: global trafficTCP traffic: 192.168.2.6:49731 -> 103.27.200.199:35243
            Source: Joe Sandbox ViewIP Address: 103.27.200.199 103.27.200.199
            Source: Joe Sandbox ViewASN Name: BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH
            Source: unknownFTP traffic detected: 103.27.200.199:21 -> 192.168.2.6:49730 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 14:49. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 14:49. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 14:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 14:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
            Source: vbc.exe, 00000007.00000003.378678575.0000000000ACE000.00000004.00000001.sdmpString found in binary or memory: 3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000007.00000003.378678575.0000000000ACE000.00000004.00000001.sdmpString found in binary or memory: 3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.378872120.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000007.00000002.378872120.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmpString found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
            Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmpString found in binary or memory: s://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlabout:blankhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://go.microsoft.com/fwlink/?LinkId=517287https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=7&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=199&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://contextual.media.net/medianet.phphttps://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=348&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=2&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/res://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736938632;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2
            Source: unknownDNS traffic detected: queries for: 10.76.9.0.in-addr.arpa
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.339668576.0000000006003000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.337044965.000000000603E000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comKo
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.337965083.000000000603E000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.como
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.591710521.000000000302E000.00000004.00000001.sdmpString found in binary or memory: http://ftp.triplelink.co.th
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmp, K409476485-03032021000.pdf.exe, 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343783361.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.342836300.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comL
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.342836300.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comQ
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.342836300.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.342836300.0000000006002000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-un
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-gn
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers$
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348081975.000000000600D000.00000004.00000001.sdmp, K409476485-03032021000.pdf.exe, 00000003.00000003.345282412.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.345282412.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFe
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comT.TTFJ
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comX
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.596348173.0000000006000000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.596348173.0000000006000000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comae
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348081975.000000000600D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdkoX
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.596348173.0000000006000000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepkoW
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed=
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.348257540.000000000600D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlic
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.347391240.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.336579575.00000000014CB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnd
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.339668576.0000000006003000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.344221992.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343783361.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-usX
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343140401.0000000006007000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343783361.000000000600A000.00000004.00000001.sdmp, K409476485-03032021000.pdf.exe, 00000003.00000003.343140401.0000000006007000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343140401.0000000006007000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/4
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343140401.0000000006007000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/=
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.344221992.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l-gn
            Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.co
            Source: vbc.exe, vbc.exe, 00000007.00000002.378872120.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.336106778.000000000603E000.00000004.00000001.sdmp, K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.336106778.000000000603E000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com5
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.336603366.000000000603E000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comg
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.335457848.00000000014CB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coml
            Source: K409476485-03032021000.pdf.exe, 00000003.00000003.343783361.000000000600A000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: K409476485-03032021000.pdf.exe, 00000003.00000002.597348617.0000000007212000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: vbc.exe, 00000007.00000003.378592469.00000000020FC000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activi
            Source: vbc.exe, 00000007.00000003.378678575.0000000000ACE000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
            Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
            Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
            Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: K409476485-03032021000.pdf.exe, 00000001.00000002.334914842.00000000027E4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: vbc.exe, 00000007.00000003.378615686.0000000000ACC000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https:/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: K409476485-03032021000.pdf.exe PID: 7072, type: MEMORY
            Source: Yara matchFile source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.K409476485-03032021000.pdf.exe.2d9b520.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPE
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,6_2_0040AC8A

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000003.00000002.589139096.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.590874619.0000000002D71000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000001.00000002.336336777.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 3.2.K409476485-03032021000.pdf.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.K409476485-03032021000.pdf.exe.2d9b520.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 3.2.K409476485-03032021000.pdf.exe.408208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 3.2.K409476485-03032021000.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 3.2.K409476485-03032021000.pdf.exe.409c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.K409476485-03032021000.pdf.exe.43175f0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.K409476485-03032021000.pdf.exe.45462a0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.K409476485-03032021000.pdf.exe.426efd0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: K409476485-03032021000.pdf.exe
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD89A0 NtSetContextThread,3_2_05FD89A0
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD8994 NtWriteVirtualMemory,3_2_05FD8994
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD897C NtResumeThread,3_2_05FD897C
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FDF778 NtWriteVirtualMemory,3_2_05FDF778
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FDF618 NtResumeThread,3_2_05FDF618
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD89B8 NtResumeThread,3_2_05FD89B8
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD89AC NtSetContextThread,3_2_05FD89AC
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD8964 NtResumeThread,3_2_05FD8964
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD8958 NtSetContextThread,3_2_05FD8958
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD894C NtSetContextThread,3_2_05FD894C
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD8940 NtWriteVirtualMemory,3_2_05FD8940
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD8928 NtResumeThread,3_2_05FD8928
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FDF830 NtSetContextThread,3_2_05FDF830
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,7_2_00408836
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_04CA81A81_2_04CA81A8
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_04CA81B81_2_04CA81B8
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_04CA0AF31_2_04CA0AF3
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_04CA0B001_2_04CA0B00
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_04CA73781_2_04CA7378
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_04CA73701_2_04CA7370
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_04CADF881_2_04CADF88
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_07EB62C01_2_07EB62C0
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 1_2_07EBA0281_2_07EBA028
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FBBDB03_2_05FBBDB0
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FBB4E03_2_05FBB4E0
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FBEEC83_2_05FBEEC8
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FBB1983_2_05FBB198
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FB00063_2_05FB0006
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FDB5403_2_05FDB540
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FDBD323_2_05FDBD32
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FDEC503_2_05FDEC50
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD9C203_2_05FD9C20
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD3BE83_2_05FD3BE8
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD2BA83_2_05FD2BA8
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD6B203_2_05FD6B20
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD22B83_2_05FD22B8
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD9C103_2_05FD9C10
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD3BD73_2_05FD3BD7
            Source: C:\Users\user\Desktop\K409476485-03032021000.pdf.exeCode function: 3_2_05FD22A93_2_05FD22A9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404DDB6_2_00404DDB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040BD8A6_2_0040BD8A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404E4C6_2_00404E4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404EBD6_2_00404EBD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404F4E6_2_00404F4E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004044197_2_00404419
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004045167_2_00404516
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe