Windows Analysis Report 280072109764552.doc

Overview

General Information

Sample Name: 280072109764552.doc
Analysis ID: 455555
MD5: ae01f0cc63c8a3b7bb239976c56788c3
SHA1: cd86bb62ab645cab4d20ec8a931ca9e84801ea36
SHA256: fde845dc869db03ce766a34d4d325cfb60ea5e605244e823fcfea5b3135aacb7
Tags: doc
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 280072109764552.doc Avira: detected
Found malware configuration
Source: name.exe.1776.4.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\name.exe ReversingLabs: Detection: 13%
Multi AV Scanner detection for submitted file
Source: 280072109764552.doc ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\name.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.InstallUtil.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.2.name.exe.3682b02.11.unpack Avira: Label: TR/Inject.vcoldi
Source: 4.2.name.exe.3489f22.7.unpack Avira: Label: TR/Inject.vcoldi

Exploits:

barindex
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\name.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\name.exe Jump to behavior
Office Equation Editor has been started
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.168.2.22:49168 -> 142.250.203.100:443 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: InstallUtil.pdb source: name.exe, 00000004.00000002.2153168728.0000000006870000.00000004.00000001.sdmp, InstallUtil.exe

Spreading:

barindex
May infect USB drives
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 7_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4x nop then jmp 00349438h 4_2_00348BB7
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001A185D
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001ACC7D
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then call 001A2300h 5_2_001AC8CE
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001AC8CE
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then call 001A2300h 5_2_001AC171
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001AC171
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001AE199
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001A998D
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then jmp 001A2248h 5_2_001A2180
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then call 001A2300h 5_2_001AC9B8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001AC9B8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001A0A55
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001AD67E
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001AE32E
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001AD768
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001ACFA1
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001A1BA5
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 5_2_001AA3C3
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: vecvietnam.com.vn
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 142.250.203.100:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.255.237.180:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.22:49171 -> 45.141.152.18:21
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 45.141.152.18:64943
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: ApacheDate: Wed, 28 Jul 2021 15:01:16 GMTContent-Type: application/octet-streamContent-Length: 1383936Last-Modified: Wed, 28 Jul 2021 00:30:49 GMTConnection: keep-aliveETag: "6100a539-151e00"Expires: Fri, 27 Aug 2021 15:01:16 GMTCache-Control: max-age=2592000Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c7 80 a0 3c 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 0a 15 00 00 12 00 00 00 00 00 00 ce 29 15 00 00 20 00 00 00 40 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 29 15 00 4f 00 00 00 00 40 15 00 84 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 09 15 00 00 20 00 00 00 0a 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 0e 00 00 00 40 15 00 00 10 00 00 00 0c 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 15 00 00 02 00 00 00 1c 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 29 15 00 00 00 00 00 48 00 00 00 02 00 05 00 cc 31 14 00 b0 f7 00 00 03 00 02 00 ec 00 00 06 d0 8b 03 00 fa a5 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 4a ec 6a f8 97 e3 ec dd a8 de 31 58 b3 92 bf 6e 7d d6 d1 7c 1a 30 16 5f fe 66 6f 61 b5 17 5e 25 4d d0 96 03 24 43 31 ca 10 70 05 87 34 b9 93 18 8f b3 a1 c5 5d da 81 19 d5 0a f9 30 73 8b 28 90 7f 0c 0b e2 fa bc 49 3a a5 07 6c a8 2a 8e 2b 44 d2 57 d0 01 75 97 c7 71 4e 7c 2c 19 49 00 56 83 48 74 07 27 ae b0 1d d2 6a 67 20 55 6d d7 ed 46 de b4 5d 1c b9 26 1a e6 44 98 93 7d 8f 2f ef a4 b0 e8 60 b5 87 03 95 21 39 fc 96 0e 77 71 04 76 8d e4 3a 94 a1 39 c9 21 59 1f e2 16 1d 9e 43 3a 76 7a a4 84 76 38 be da 1e 3c e1 bc 8f 0c 6f d1 93 1d ee a9 f4 5b 03 76 1e 3f 5b 67 20 7f 04 9a b9 5c 96 fb cb 7e fe 55 26 5e 75 65 57 0d 90 4c ae 10 81 00 af 99 44 1a 77 2e 65 37 dc 56 ba 9e 37 47 02 33 74 72 05 15 1d 99 83 95 e5 9c 1f 11 ad 0e b7 0f fd 04 ea 20 17 7c 84 9d 19 c6 78 ce a3 d5 2d 0f 0a 5d d7 3c 0a 6b e1 15 15 ae 34 d9 0f 53 88 cd 9e ab a0 33 5c e1 1c f7 ed 67 fb 55 21 b4 f1 0f 6f 0f 07 50
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.141.152.18 45.141.152.18
Source: Joe Sandbox View IP Address: 45.141.152.18 45.141.152.18
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View ASN Name: M247GB M247GB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Uses FTP
Source: unknown FTP traffic detected: 45.141.152.18:21 -> 192.168.2.22:49171 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /xpen3/09867654270721.PDF.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vecvietnam.com.vnConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 192.168.2.22:49168 -> 142.250.203.100:443 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{238E66D8-299E-4B99-A605-44EE5B79BCDD}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /xpen3/09867654270721.PDF.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vecvietnam.com.vnConnection: Keep-Alive
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: vecvietnam.com.vn
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: name.exe, 00000004.00000002.2141473000.0000000000A7C000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmp String found in binary or memory: http://ftp.vngpack.com
Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp String found in binary or memory: http://n.f
Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp, name.exe, 00000004.00000002.2150294891.0000000005113000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/s
Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobede
Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp String found in binary or memory: http://ns.ao
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: name.exe, 00000004.00000002.2141909608.0000000002481000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: name.exe, 00000004.00000002.2150758062.0000000005CA0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: name.exe, 00000004.00000002.2150758062.0000000005CA0000.00000002.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2374162693.00000000081A0000.00000002.00000001.sdmp, vbc.exe, 00000007.00000002.2180304316.00000000028B0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe String found in binary or memory: http://www.nirsoft.net/
Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR
Contains functionality to log keystrokes (.Net Source)
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 6_2_0040AC8A

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: 4.2.name.exe.30000.0.unpack, g4K/Dj6.cs Large array initialization: .cctor: array initializer size 4259
Source: 4.2.name.exe.30000.0.unpack, k0N/Ee6.cs Large array initialization: .cctor: array initializer size 4998
Office equation editor drops PE file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\name.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\name.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A8598 NtWriteVirtualMemory, 5_2_001A8598
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A8580 NtResumeThread, 5_2_001A8580
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A85A4 NtSetContextThread, 5_2_001A85A4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001ADA88 NtResumeThread, 5_2_001ADA88
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001AE018 NtSetContextThread, 5_2_001AE018
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A85BC NtResumeThread, 5_2_001A85BC
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A85B0 NtSetContextThread, 5_2_001A85B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A8670 NtResumeThread, 5_2_001A8670
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A8694 NtSetContextThread, 5_2_001A8694
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A8688 NtWriteVirtualMemory, 5_2_001A8688
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A86AC NtResumeThread, 5_2_001A86AC
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A86A0 NtSetContextThread, 5_2_001A86A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001ADF60 NtWriteVirtualMemory, 5_2_001ADF60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 7_2_00408836
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E3668 CreateProcessAsUserW, 4_2_009E3668
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00037A33 4_2_00037A33
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00348BB7 4_2_00348BB7
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00347439 4_2_00347439
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00349460 4_2_00349460
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00349450 4_2_00349450
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00347448 4_2_00347448
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_0034AAD0 4_2_0034AAD0
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_0034AAC0 4_2_0034AAC0
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00341C9A 4_2_00341C9A
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E44F9 4_2_009E44F9
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E5821 4_2_009E5821
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E9939 4_2_009E9939
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E2D31 4_2_009E2D31
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E72E2 4_2_009E72E2
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E7A10 4_2_009E7A10
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E3A00 4_2_009E3A00
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009EC228 4_2_009EC228
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E8C98 4_2_009E8C98
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E8C88 4_2_009E8C88
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009EB0E0 4_2_009EB0E0
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E0006 4_2_009E0006
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E0048 4_2_009E0048
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E9110 4_2_009E9110
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E9100 4_2_009E9100
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009ECE58 4_2_009ECE58
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009E1268 4_2_009E1268
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_009EA3E8 4_2_009EA3E8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_012420B0 5_2_012420B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A9418 5_2_001A9418
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A9D00 5_2_001A9D00
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001AAD40 5_2_001AAD40
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A72A0 5_2_001A72A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001ABB30 5_2_001ABB30
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A7B70 5_2_001A7B70
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001AAD2F 5_2_001AAD2F
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001AC171 5_2_001AC171
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A25AB 5_2_001A25AB
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 5_2_001A6F58 5_2_001A6F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404DDB 6_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040BD8A 6_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404E4C 6_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404EBD 6_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404F4E 6_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404419 7_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00404516 7_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00413538 7_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004145A1 7_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0040E639 7_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004337AF 7_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_004399B1 7_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_0043DAE7 7_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00405CF6 7_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00403F85 7_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411F99 7_2_00411F99
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 815FD29D891CB94418BB0CDC44D5095230989FE9DA58421319FCD57E458E39A9
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Yara signature match
Source: 5.2.InstallUtil.exe.5e0000.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.4e0000.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.2689414.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2684de0.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363914554.00000000005E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'zfWNmoVCmw9cYxvRPzpOe7yARVOHExi6TsOCR63LGMs+Lv0nLSEyXoiEOPiEzRyN', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@10/15@5/3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 7_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 7_2_00415F87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 7_2_00411196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource, 6_2_0040ED0B
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$0072109764552.doc Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD9EA.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 280072109764552.doc ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'
Source: C:\Users\user\AppData\Roaming\name.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\name.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: 280072109764552.doc Static file information: File size 2202571 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: InstallUtil.pdb source: name.exe, 00000004.00000002.2153168728.0000000006870000.00000004.00000001.sdmp, InstallUtil.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA, 6_2_00404837
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_0003260D push cs; iretd 4_2_0003260F
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00035610 push esi; iretd 4_2_0003561D
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_0003401C pushad ; retf 4_2_00034019
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00035A34 push eax; retf 4_2_00035A5C
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00035A47 push eax; retf 4_2_00035A5C
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00034E93 pushad ; retf 4_2_00034ED4
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00032894 push ds; iretd 4_2_00032898
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00034D05 pushad ; retf 4_2_00034ED4
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00036D50 push es; ret 4_2_00036D5D
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00033955 push esi; retf 4_2_0003395E
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00035992 push eax; retf 4_2_00035A5C
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00033FDC pushad ; retf 4_2_00034019
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_000355E2 push 664C7BE7h; iretd 4_2_000355F0
Source: C:\Users\user\AppData\Roaming\name.exe Code function: 4_2_00034FE7 push 680E75D9h; retf 4_2_00034FEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_00411879 push ecx; ret 6_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004118A0 push eax; ret 6_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_004118A0 push eax; ret 6_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442871 push ecx; ret 7_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442A90 push eax; ret 7_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00442A90 push eax; ret 7_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 7_2_00446E54 push eax; ret 7_2_00446E61
Source: 4.2.name.exe.30000.0.unpack, Sz9/n0P.cs High entropy of concatenated method names: '.ctor', 'o5G', 'k2L', 'd4D', 'k5R', 'k5G', 'p5N', 'Lk2', 'c6F', 'Ri8'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\name.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE File created: C:\Users\user\AppData\Roaming\name.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Roaming\name.exe File opened: C:\Users\user\AppData\Roaming\name.exe\:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_0040F64B
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior