Loading ...

Play interactive tourEdit tour

Windows Analysis Report UMUNNA1.exe

Overview

General Information

Sample Name:UMUNNA1.exe
Analysis ID:443952
MD5:88fd4cf81a72a7a8642b4e248626bd28
SHA1:10f58d151e0ce590c27d2a9c33a2c5f8fdbf518b
SHA256:6bad2fb94eb774403450fc90c697e457c2d260eb0b20a96f15ee82cef6f74d86
Tags:exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UMUNNA1.exe (PID: 6940 cmdline: 'C:\Users\user\Desktop\UMUNNA1.exe' MD5: 88FD4CF81A72A7A8642B4E248626BD28)
    • UMUNNA1.exe (PID: 5052 cmdline: C:\Users\user\Desktop\UMUNNA1.exe MD5: 88FD4CF81A72A7A8642B4E248626BD28)
      • vbc.exe (PID: 4116 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 660 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000004.00000002.925540625.00000000066C0000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000004.00000002.925557781.0000000006810000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
    • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
    00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
    • 0x23a730:$key: HawkEyeKeylogger
    • 0x2bc9ca:$key: HawkEyeKeylogger
    • 0x33e9ea:$key: HawkEyeKeylogger
    • 0x23c946:$salt: 099u787978786
    • 0x2bebe0:$salt: 099u787978786
    • 0x340c00:$salt: 099u787978786
    • 0x23ad61:$string1: HawkEye_Keylogger
    • 0x23bbb4:$string1: HawkEye_Keylogger
    • 0x23c8a6:$string1: HawkEye_Keylogger
    • 0x2bcffb:$string1: HawkEye_Keylogger
    • 0x2bde4e:$string1: HawkEye_Keylogger
    • 0x2beb40:$string1: HawkEye_Keylogger
    • 0x33f01b:$string1: HawkEye_Keylogger
    • 0x33fe6e:$string1: HawkEye_Keylogger
    • 0x340b60:$string1: HawkEye_Keylogger
    • 0x23b14a:$string2: holdermail.txt
    • 0x23b16a:$string2: holdermail.txt
    • 0x2bd3e4:$string2: holdermail.txt
    • 0x2bd404:$string2: holdermail.txt
    • 0x33f404:$string2: holdermail.txt
    • 0x33f424:$string2: holdermail.txt
    00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.UMUNNA1.exe.88fa72.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        4.2.UMUNNA1.exe.6810000.11.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        4.2.UMUNNA1.exe.3b80020.8.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          4.2.UMUNNA1.exe.3b67e00.7.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            4.2.UMUNNA1.exe.839c0d.4.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 58 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: UMUNNA1.exeAvira: detected
              Found malware configurationShow sources
              Source: UMUNNA1.exe.6940.0.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for domain / URLShow sources
              Source: bigcountrywater.comVirustotal: Detection: 9%Perma Link
              Multi AV Scanner detection for submitted fileShow sources
              Source: UMUNNA1.exeVirustotal: Detection: 81%Perma Link
              Source: UMUNNA1.exeMetadefender: Detection: 28%Perma Link
              Source: UMUNNA1.exeReversingLabs: Detection: 65%
              Machine Learning detection for sampleShow sources
              Source: UMUNNA1.exeJoe Sandbox ML: detected
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpackAvira: Label: TR/Inject.vcoldi
              Source: 4.2.UMUNNA1.exe.830000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 4.2.UMUNNA1.exe.830000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: UMUNNA1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: C:\Users\user\Desktop\UMUNNA1.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: UMUNNA1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: C:\Users\Adrian\Desktop\New folder\Dll\KFs1w6iPXQ9ctK\obj\Release\avimvIb.pdb source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Adrian\Desktop\New folder\Startup\Intel\Intel\obj\Release\Lkdsrfgj.pdb source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmp
              Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp
              Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe
              Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe
              Source: Binary string: mscorrc.pdb source: UMUNNA1.exe, 00000000.00000002.672498554.0000000004E50000.00000002.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924052820.0000000004FA0000.00000002.00000001.sdmp
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then jmp 04CB1A73h
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then jmp 04CB1A73h
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then call 04CB1B20h
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4x nop then mov esp, ebp

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 491 INFO FTP Bad login 155.254.17.54:21 -> 192.168.2.4:49748
              May check the online IP address of the machineShow sources
              Source: C:\Users\user\Desktop\UMUNNA1.exeDNS query: name: whatismyipaddress.com
              Source: C:\Users\user\Desktop\UMUNNA1.exeDNS query: name: whatismyipaddress.com
              Source: C:\Users\user\Desktop\UMUNNA1.exeDNS query: name: whatismyipaddress.com
              Source: C:\Users\user\Desktop\UMUNNA1.exeDNS query: name: whatismyipaddress.com
              Source: C:\Users\user\Desktop\UMUNNA1.exeDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
              Source: unknownFTP traffic detected: 155.254.17.54:21 -> 192.168.2.4:49748 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 00:24. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_00CBA09A recv,
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe, 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, vbc.exe, 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000006.00000003.688028124.0000000000AFE000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
              Source: vbc.exe, 00000006.00000003.688028124.0000000000AFE000.00000004.00000040.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: 123.105.12.0.in-addr.arpa
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com
              Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: UMUNNA1.exe, 00000000.00000003.668596839.0000000005140000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
              Source: UMUNNA1.exe, 00000000.00000003.656710705.0000000005175000.00000004.00000001.sdmp, UMUNNA1.exe, 00000000.00000003.656517724.0000000005175000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: UMUNNA1.exe, 00000000.00000003.656564325.000000000515B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com)W
              Source: UMUNNA1.exe, 00000000.00000003.656600121.0000000005175000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
              Source: UMUNNA1.exe, 00000000.00000003.656564325.000000000515B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comccW:
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: UMUNNA1.exe, 00000000.00000003.668596839.0000000005140000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmS
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%I
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-czKI
              Source: UMUNNA1.exe, 00000000.00000003.658718286.0000000005151000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7I
              Source: UMUNNA1.exe, 00000000.00000003.658649586.0000000005151000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0rooI
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-dRI
              Source: UMUNNA1.exe, 00000000.00000003.658517716.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/dvI
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
              Source: UMUNNA1.exe, 00000000.00000003.658718286.0000000005151000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
              Source: UMUNNA1.exe, 00000000.00000003.658995751.000000000514A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/yI
              Source: vbc.exe, vbc.exe, 00000006.00000002.688595177.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
              Source: UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: UMUNNA1.exe, 00000000.00000002.674279886.0000000006352000.00000004.00000001.sdmp, UMUNNA1.exe, 00000004.00000002.924435769.0000000005380000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
              Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: vbc.exe, 00000006.00000003.688028124.0000000000AFE000.00000004.00000040.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
              Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/?gws_rd=ssl
              Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/ima
              Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
              Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/favicon.ico
              Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.ht
              Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=S&
              Source: vbc.exe, 00000006.00000002.690802950.00000000006D0000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/searchmh
              Source: vbc.exe, 00000006.00000002.690831909.00000000006D8000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2a

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected HawkEye KeyloggerShow sources
              Source: Yara matchFile source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: UMUNNA1.exe PID: 6940, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: UMUNNA1.exe PID: 5052, type: MEMORY
              Contains functionality to log keystrokes (.Net Source)Show sources
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.cs.Net Code: HookKeyboard
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,
              Source: C:\Users\user\Desktop\UMUNNA1.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
              Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CE5696 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CE55EE NtResumeThread,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CE5546 NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CE5669 NtWriteVirtualMemory,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CE55DC NtResumeThread,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CE5534 NtQuerySystemInformation,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_005447D6
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB5180
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB79B0
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB10D3
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB34D2
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB10EB
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB108A
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0883
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB14B7
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB08B6
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB10A0
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB105C
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB144B
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0C48
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1044
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1468
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0C15
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB100F
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1027
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB11F5
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB15E9
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB09E4
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1196
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0D8C
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB2582
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0DB7
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB11AE
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1152
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB3D72
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1108
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB090E
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0D3D
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1123
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0527
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB06E4
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0EE4
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB12BF
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB06AB
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0E5B
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0E41
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1265
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB061E
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB121E
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0E11
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0A15
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0606
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1236
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0A2D
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0FD8
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB07C0
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0FF2
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB13E7
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0792
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0B97
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0F86
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0FBB
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0FA3
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB075F
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0F4F
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0B09
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0F39
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0B3C
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB1335
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04DB0B21
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_003B47D6
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CB6048
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CB5758
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CB7D10
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CB7098
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CB8068
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CB1DA8
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404DDB
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040BD8A
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404E4C
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404EBD
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_00404F4E
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404419
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404516
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00413538
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004145A1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040E639
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004337AF
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004399B1
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0043DAE7
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00405CF6
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00403F85
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411F99
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
              Source: UMUNNA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: UMUNNA1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: UMUNNA1.exe, 00000000.00000000.654277775.00000000005EC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecremosso.exe4 vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLkdsrfgj.exe" vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000000.00000002.670132115.0000000002BD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameavimvIb.dll0 vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000000.00000002.672498554.0000000004E50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000000.00000002.673122435.0000000005000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000004.00000002.919565130.000000000045C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecremosso.exe4 vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000004.00000002.919876218.00000000008B2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000004.00000002.926040527.0000000006F80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs UMUNNA1.exe
              Source: UMUNNA1.exe, 00000004.00000002.924052820.0000000004FA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs UMUNNA1.exe
              Source: UMUNNA1.exeBinary or memory string: OriginalFilenamecremosso.exe4 vs UMUNNA1.exe
              Source: UMUNNA1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 4.2.UMUNNA1.exe.6810000.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.UMUNNA1.exe.66c0000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 4.2.UMUNNA1.exe.88fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 4.2.UMUNNA1.exe.839c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.UMUNNA1.exe.3d8fe4e.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.UMUNNA1.exe.838208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.UMUNNA1.exe.2ba7f28.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.UMUNNA1.exe.3d96256.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.UMUNNA1.exe.3d97c5b.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 4.2.UMUNNA1.exe.2b88df0.6.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.925540625.00000000066C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000004.00000002.925557781.0000000006810000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000000.00000002.670247013.0000000003BD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
              Source: 00000004.00000002.919651552.0000000000832000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.922393547.0000000002B61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
              Source: UMUNNA1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: UMUNNA1.exe, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: UMUNNA1.exe, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.0.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.0.UMUNNA1.exe.540000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.0.UMUNNA1.exe.3b0000.0.unpack, VfCDGxLCwNyRp5SyIH/gghGWtpj6HnkevlTcY.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.UMUNNA1.exe.830000.1.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'YWcX/+xyZbonJzjf8XsXocMSojtcj/vlwv11qSUwGlGCejjW2Bxu0PvUiwFA0fWY', 'L7P+iy5vVV9MFR2A1YrtqvivrdT0sug458w1e4EPZLbz+cqzSvpehnm4plBBK3RQ0NzORG8/DePFVT8ZQgvOuw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@7/4@3/3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04FE0E72 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 0_2_04FE0E3B AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CE5476 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\UMUNNA1.exeCode function: 4_2_04CE543F AdjustTokenPrivileges,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 5_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,
              Source: C:\Users\user\Desktop\UMUNNA1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\UMUNNA1.exe.log