Loading ...

Play interactive tourEdit tour

Windows Analysis Report ypBoHI5G3x

Overview

General Information

Sample Name:ypBoHI5G3x (renamed file extension from none to exe)
Analysis ID:454641
MD5:08d679d4b9a12137756cc9244bd6f017
SHA1:580c29bc356057d76873c9c453ed466e1024b7f2
SHA256:047f33e6f83796d9fc056d7006a6e8ef69696d63eceb29fb1592bb13a62e79bf
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ypBoHI5G3x.exe (PID: 6504 cmdline: 'C:\Users\user\Desktop\ypBoHI5G3x.exe' MD5: 08D679D4B9A12137756CC9244BD6F017)
    • InstallUtil.exe (PID: 6456 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • vbc.exe (PID: 5560 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 5432 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.613574939.0000000008110000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000013.00000002.491218277.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x37e24:$hawkstr1: HawkEye Keylogger
      • 0x3b150:$hawkstr1: HawkEye Keylogger
      • 0x3b4d0:$hawkstr1: HawkEye Keylogger
      • 0x3d994:$hawkstr1: HawkEye Keylogger
      • 0x378dc:$hawkstr2: Dear HawkEye Customers!
      • 0x3b1b0:$hawkstr2: Dear HawkEye Customers!
      • 0x3b530:$hawkstr2: Dear HawkEye Customers!
      • 0x37a0a:$hawkstr3: HawkEye Logger Details:
      00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0xfdd61:$key: HawkEyeKeylogger
      • 0x17fe1f:$key: HawkEyeKeylogger
      • 0x2022ff:$key: HawkEyeKeylogger
      • 0xfff5f:$salt: 099u787978786
      • 0x18201d:$salt: 099u787978786
      • 0x2044fd:$salt: 099u787978786
      • 0xfe37a:$string1: HawkEye_Keylogger
      • 0xff1cd:$string1: HawkEye_Keylogger
      • 0xffebf:$string1: HawkEye_Keylogger
      • 0x180438:$string1: HawkEye_Keylogger
      • 0x18128b:$string1: HawkEye_Keylogger
      • 0x181f7d:$string1: HawkEye_Keylogger
      • 0x202918:$string1: HawkEye_Keylogger
      • 0x20376b:$string1: HawkEye_Keylogger
      • 0x20445d:$string1: HawkEye_Keylogger
      • 0xfe763:$string2: holdermail.txt
      • 0xfe783:$string2: holdermail.txt
      • 0x180821:$string2: holdermail.txt
      • 0x180841:$string2: holdermail.txt
      • 0x202d01:$string2: holdermail.txt
      • 0x202d21:$string2: holdermail.txt
      Click to see the 26 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.InstallUtil.exe.7750000.11.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      12.2.InstallUtil.exe.2b6ec2c.6.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      12.2.InstallUtil.exe.3b39930.7.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        12.2.InstallUtil.exe.45fa72.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          19.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            Click to see the 82 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\ypBoHI5G3x.exe' , ParentImage: C:\Users\user\Desktop\ypBoHI5G3x.exe, ParentProcessId: 6504, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6456

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: ypBoHI5G3x.exe.6504.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
            Multi AV Scanner detection for submitted fileShow sources
            Source: ypBoHI5G3x.exeVirustotal: Detection: 28%Perma Link
            Source: ypBoHI5G3x.exeReversingLabs: Detection: 32%
            Machine Learning detection for sampleShow sources
            Source: ypBoHI5G3x.exeJoe Sandbox ML: detected
            Source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpackAvira: Label: TR/Inject.vcoldi
            Source: 12.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 12.2.InstallUtil.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpackAvira: Label: TR/Inject.vcoldi
            Source: ypBoHI5G3x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.6:49723 version: TLS 1.0
            Source: ypBoHI5G3x.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.613574939.0000000008110000.00000004.00000001.sdmp
            Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: ypBoHI5G3x.exe, 00000001.00000002.463314966.000000000768B000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599966159.00000000008B2000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe
            Source: Binary string: InstallUtil.pdb source: ypBoHI5G3x.exe, 00000001.00000002.463314966.000000000768B000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,18_2_00408441
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,18_2_00407E0E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 19_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00406EC3
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_05FFC130
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_05FF9648
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then push dword ptr [ebp-24h]1_2_05FFA0D8
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_05FFA0D8
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then push dword ptr [ebp-24h]1_2_05FFA0CC
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_05FFA0CC
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then xor edx, edx1_2_05FFA010
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then xor edx, edx1_2_05FFA004
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_05FFC37D
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then push dword ptr [ebp-20h]1_2_05FF9DB8
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_05FF9DB8
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then push dword ptr [ebp-20h]1_2_05FF9DAD
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh1_2_05FF9DAD
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then jmp 05FF51E0h1_2_05FF4968
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then jmp 05FF51E0h1_2_05FF4959
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_05FF98D5
            Source: C:\Users\user\Desktop\ypBoHI5G3x.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_05FFA828
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then jmp 0516A630h12_2_0516A559
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then jmp 0516A630h12_2_0516A568
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]12_2_05169EF5
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]12_2_05162B75
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]12_2_05169A2D

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.6:49759 -> 45.141.152.18:21
            Source: global trafficTCP traffic: 192.168.2.6:49760 -> 45.141.152.18:62998
            Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
            Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
            Source: Joe Sandbox ViewASN Name: M247GB M247GB
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownFTP traffic detected: 45.141.152.18:21 -> 192.168.2.6:49759 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 05:13. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
            Source: unknownHTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.6:49723 version: TLS 1.0
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.493947169.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, vbc.exe, 00000012.00000002.493947169.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: unknownDNS traffic detected: queries for: www.google.com
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: InstallUtil.exe, 0000000C.00000002.602869141.0000000002BF3000.00000004.00000001.sdmpString found in binary or memory: http://ftp.vngpack.com
            Source: ypBoHI5G3x.exe, 00000001.00000003.347743311.000000000736F000.00000004.00000001.sdmp, ypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
            Source: ypBoHI5G3x.exe, 00000001.00000003.347743311.000000000736F000.00000004.00000001.sdmp, ypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
            Source: ypBoHI5G3x.exe, 00000001.00000003.446695266.0000000007376000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%N
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: ypBoHI5G3x.exe, 00000001.00000002.448077774.0000000003167000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
            Source: ypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: ypBoHI5G3x.exe, 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: InstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-sM
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.F
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comou
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comro
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
            Source: InstallUtil.exe, 0000000C.00000003.455801076.0000000005D48000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
            Source: InstallUtil.exe, 0000000C.00000003.455586589.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFD
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comay
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdR
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitu
            Source: InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
            Source: InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: InstallUtil.exe, 0000000C.00000003.461734038.0000000005D4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm(
            Source: InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
            Source: InstallUtil.exe, 0000000C.00000003.470360983.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comu
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhic
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cno
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnomp$
            Source: InstallUtil.exe, 0000000C.00000003.454846783.0000000005D46000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntra:
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: InstallUtil.exe, 0000000C.00000003.456469435.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
            Source: InstallUtil.exe, 0000000C.00000003.456469435.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
            Source: InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verdk
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
            Source: InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/cs-c
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: InstallUtil.exe, 0000000C.00000003.456756762.0000000005D4A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/settR
            Source: InstallUtil.exe, 0000000C.00000003.457320751.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wuR
            Source: InstallUtil.exe, 0000000C.00000003.457780221.0000000005D49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wvR
            Source: InstallUtil.exe, 0000000C.00000003.468375972.0000000005D70000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.S
            Source: vbc.exe, vbc.exe, 00000013.00000002.491218277.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: InstallUtil.exe, 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: InstallUtil.exe, 0000000C.00000002.612022947.0000000006F52000.00000004.00000001.sdmp, InstallUtil.exe, 0000000C.00000003.455377795.0000000005D47000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: InstallUtil.exe, 0000000C.00000003.455377795.0000000005D47000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnm
            Source: vbc.exe, 00000012.00000003.493497095.00000000022DC000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activi
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: ypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
            Source: ypBoHI5G3x.exe, 00000001.00000002.447965365.0000000003121000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 12.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.2b5b2a0.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a1cf2.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.419b8ea.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.41a36f7.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 12.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.43944ca.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439c2d7.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.ypBoHI5G3x.exe.439a8d2.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000C.00000002.602473757.0000000002B31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455567208.0000000004312000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.599637682.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.455392795.000000000419B000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ypBoHI5G3x.exe PID: 6504, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6456, type: MEMORY
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 12.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 18_2_0040D674 OpenClipboard,GetLastError,DeleteFileW,18_2_0040D674

            System Summary:

            bar