Loading ...

Play interactive tourEdit tour

Windows Analysis Report pxn91KhFLB

Overview

General Information

Sample Name:pxn91KhFLB (renamed file extension from none to exe)
Analysis ID:455882
MD5:fa0a3ed04eec65d6d3fb55aa7d2497c1
SHA1:89aafe0cfec4ecc13fd7f255b1e6e8af903ddbd0
SHA256:2c6df9a84b482c1dd1af8ee142ccdfeab23234a8507f3cc637aee9161a6c58b8
Tags:32exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pxn91KhFLB.exe (PID: 6632 cmdline: 'C:\Users\user\Desktop\pxn91KhFLB.exe' MD5: FA0A3ED04EEC65D6D3FB55AA7D2497C1)
    • InstallUtil.exe (PID: 6552 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
      • vbc.exe (PID: 6136 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 1332 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b697:$key: HawkEyeKeylogger
  • 0x7d895:$salt: 099u787978786
  • 0x7bcb0:$string1: HawkEye_Keylogger
  • 0x7cb03:$string1: HawkEye_Keylogger
  • 0x7d7f5:$string1: HawkEye_Keylogger
  • 0x7c099:$string2: holdermail.txt
  • 0x7c0b9:$string2: holdermail.txt
  • 0x7bfdb:$string3: wallet.dat
  • 0x7bff3:$string3: wallet.dat
  • 0x7c009:$string3: wallet.dat
  • 0x7d3d7:$string4: Keylog Records
  • 0x7d6ef:$string4: Keylog Records
  • 0x7d8ed:$string5: do not script -->
  • 0x7b67f:$string6: \pidloc.txt
  • 0x7b6e5:$string7: BSPLIT
  • 0x7b6f5:$string7: BSPLIT
00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd08:$hawkstr1: HawkEye Keylogger
        • 0x7cb49:$hawkstr1: HawkEye Keylogger
        • 0x7ce78:$hawkstr1: HawkEye Keylogger
        • 0x7cfd3:$hawkstr1: HawkEye Keylogger
        • 0x7d136:$hawkstr1: HawkEye Keylogger
        • 0x7d3af:$hawkstr1: HawkEye Keylogger
        • 0x7b896:$hawkstr2: Dear HawkEye Customers!
        • 0x7cecb:$hawkstr2: Dear HawkEye Customers!
        • 0x7d022:$hawkstr2: Dear HawkEye Customers!
        • 0x7d189:$hawkstr2: Dear HawkEye Customers!
        • 0x7b9b7:$hawkstr3: HawkEye Logger Details:
        Click to see the 26 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.InstallUtil.exe.45fa72.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          9.2.InstallUtil.exe.38a9930.7.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            12.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              9.2.InstallUtil.exe.7370000.12.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
              • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
              12.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                Click to see the 82 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Possible Applocker BypassShow sources
                Source: Process startedAuthor: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\pxn91KhFLB.exe' , ParentImage: C:\Users\user\Desktop\pxn91KhFLB.exe, ParentProcessId: 6632, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6552

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: vbc.exe.6136.12.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
                Multi AV Scanner detection for submitted fileShow sources
                Source: pxn91KhFLB.exeReversingLabs: Detection: 26%
                Machine Learning detection for sampleShow sources
                Source: pxn91KhFLB.exeJoe Sandbox ML: detected
                Source: 9.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 9.2.InstallUtil.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.pxn91KhFLB.exe.363adca.4.unpackAvira: Label: TR/Inject.vcoldi
                Source: 0.2.pxn91KhFLB.exe.38339aa.7.unpackAvira: Label: TR/Inject.vcoldi
                Source: pxn91KhFLB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: unknownHTTPS traffic detected: 216.58.215.228:443 -> 192.168.2.4:49733 version: TLS 1.0
                Source: pxn91KhFLB.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: pxn91KhFLB.exe, 00000000.00000002.791544243.0000000006478000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000000.759330574.00000000004F2000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmp, vbc.exe
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmp, vbc.exe
                Source: Binary string: InstallUtil.pdb source: pxn91KhFLB.exe, 00000000.00000002.791544243.0000000006478000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.0.dr
                Source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,13_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,13_2_00407E0E
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_071CA6AC
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_071C26D9
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_071C2BA1
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then call 04FAA6E8h9_2_071C9878
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_071C9878
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_071E0326
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_071E0192

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.4:49761 -> 45.141.152.18:21
                Source: global trafficTCP traffic: 192.168.2.4:49762 -> 45.141.152.18:55244
                Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
                Source: Joe Sandbox ViewIP Address: 45.141.152.18 45.141.152.18
                Source: Joe Sandbox ViewASN Name: M247GB M247GB
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownFTP traffic detected: 45.141.152.18:21 -> 192.168.2.4:49761 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 17:21. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 17:21. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 17:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 17:21. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: unknownHTTPS traffic detected: 216.58.215.228:443 -> 192.168.2.4:49733 version: TLS 1.0
                Source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.814267745.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000000D.00000002.814267745.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.814001510.000000000097E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.facebook.com (Facebook)
                Source: vbc.exe, 0000000D.00000003.814001510.000000000097E000.00000004.00000001.sdmpString found in binary or memory: ttps://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4421591https://consent.google.com/about:blankhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094152711;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login=37&ndec=1&cid=8HBI57XIG&prvid=77%2C184%2C188%2C226&rtime=3&https=1&usp_status=0&usp_consent=1&dcfp=gdpr,usphttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fintl%2Fen_uk%2Fchrome%2Fhttps://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.google.com&gl=GB&pc=s&uxe=4421591 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: www.google.com
                Source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: InstallUtil.exe, 00000009.00000002.920915533.0000000002A86000.00000004.00000001.sdmpString found in binary or memory: http://ftp.vngpack.com
                Source: pxn91KhFLB.exe, 00000000.00000002.792420239.0000000006A3F000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
                Source: pxn91KhFLB.exe, 00000000.00000003.672527614.0000000006A3F000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1p
                Source: pxn91KhFLB.exe, 00000000.00000003.672527614.0000000006A3F000.00000004.00000001.sdmp, pxn91KhFLB.exe, 00000000.00000002.792420239.0000000006A3F000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
                Source: pxn91KhFLB.exe, 00000000.00000002.792420239.0000000006A3F000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g%%q5
                Source: pxn91KhFLB.exe, 00000000.00000003.667791272.0000000006A3F000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gC
                Source: pxn91KhFLB.exe, 00000000.00000003.672527614.0000000006A3F000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gp
                Source: pxn91KhFLB.exe, 00000000.00000003.689084651.0000000006A2D000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gy
                Source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: pxn91KhFLB.exe, 00000000.00000002.773932649.00000000025F1000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
                Source: pxn91KhFLB.exe, 00000000.00000002.773908648.00000000025C1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.920464842.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: pxn91KhFLB.exe, 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: InstallUtil.exe, 00000009.00000003.780338137.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: InstallUtil.exe, 00000009.00000003.781373346.000000000597A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcin
                Source: InstallUtil.exe, 00000009.00000003.780338137.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comdol
                Source: InstallUtil.exe, 00000009.00000003.780338137.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comen
                Source: InstallUtil.exe, 00000009.00000003.780338137.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: InstallUtil.exe, 00000009.00000003.780080317.0000000005981000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                Source: InstallUtil.exe, 00000009.00000003.780338137.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.compe
                Source: InstallUtil.exe, 00000009.00000003.780338137.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comper
                Source: InstallUtil.exe, 00000009.00000003.780003542.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsig
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: InstallUtil.exe, 00000009.00000003.785399048.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: InstallUtil.exe, 00000009.00000003.786127957.000000000597D000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: InstallUtil.exe, 00000009.00000003.786646338.000000000597B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersE
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: InstallUtil.exe, 00000009.00000003.785435913.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
                Source: InstallUtil.exe, 00000009.00000003.787018461.000000000597B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersi
                Source: InstallUtil.exe, 00000009.00000003.793304906.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersico
                Source: InstallUtil.exe, 00000009.00000003.785712160.000000000597D000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000003.785765180.000000000597D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                Source: InstallUtil.exe, 00000009.00000002.922909140.0000000005950000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                Source: InstallUtil.exe, 00000009.00000002.922909140.0000000005950000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como7
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: InstallUtil.exe, 00000009.00000003.790906524.000000000597D000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmp, InstallUtil.exe, 00000009.00000003.781518113.0000000005955000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: InstallUtil.exe, 00000009.00000003.780855495.0000000005953000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/7
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: InstallUtil.exe, 00000009.00000003.783106875.000000000595A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/D
                Source: InstallUtil.exe, 00000009.00000003.780855495.0000000005953000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
                Source: InstallUtil.exe, 00000009.00000003.781518113.0000000005955000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/v
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
                Source: InstallUtil.exe, 00000009.00000003.780855495.0000000005953000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
                Source: InstallUtil.exe, 00000009.00000003.782067510.0000000005959000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/wa
                Source: vbc.exe, vbc.exe, 0000000D.00000002.814267745.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmp, InstallUtil.exe, 00000009.00000003.775452279.0000000000E6B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: InstallUtil.exe, 00000009.00000002.920464842.00000000028A1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: InstallUtil.exe, 00000009.00000002.922968841.0000000005A40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: pxn91KhFLB.exe, 00000000.00000002.773908648.00000000025C1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                Source: vbc.exe, 0000000D.00000003.814001510.000000000097E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com&continue=https://www.google.com/?gws_rd%3Dssl&if=1&m=0&pc=s&wp=-1&gl=GB&uxe=4
                Source: pxn91KhFLB.exe, 00000000.00000002.773908648.00000000025C1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 0.2.pxn91KhFLB.exe.363adca.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pxn91KhFLB.exe.38339aa.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.InstallUtil.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pxn91KhFLB.exe.3642bd7.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pxn91KhFLB.exe.36411d2.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pxn91KhFLB.exe.363adca.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pxn91KhFLB.exe.3839db2.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pxn91KhFLB.exe.38339aa.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pxn91KhFLB.exe.383b7b7.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.InstallUtil.exe.28cb278.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.785549628.000000000363A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.920464842.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6552, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pxn91KhFLB.exe PID: 6632, type: MEMORYSTR
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 9.2.InstallUtil.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,12_2_0040AC8A

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 0.2.pxn91KhFLB.exe.363adca.4.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.pxn91KhFLB.exe.363adca.4.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.pxn91KhFLB.exe.38339aa.7.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.pxn91KhFLB.exe.38339aa.7.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 9.2.InstallUtil.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 9.2.InstallUtil.exe.45fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 9.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 9.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.pxn91KhFLB.exe.3642bd7.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.pxn91KhFLB.exe.3642bd7.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.pxn91KhFLB.exe.36411d2.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.pxn91KhFLB.exe.36411d2.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.pxn91KhFLB.exe.363adca.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.pxn91KhFLB.exe.363adca.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 9.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 9.2.InstallUtil.exe.409c0d.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.pxn91KhFLB.exe.3839db2.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.pxn91KhFLB.exe.3839db2.6.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.pxn91KhFLB.exe.38339aa.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.pxn91KhFLB.exe.38339aa.7.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.pxn91KhFLB.exe.383b7b7.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0.2.pxn91KhFLB.exe.383b7b7.8.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 9.2.InstallUtil.exe.28cb278.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000009.00000002.919173825.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.785549628.000000000363A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.785549628.000000000363A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.785807918.00000000037B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000009.00000002.920464842.00000000028A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                .NET source code contains very large array initializationsShow sources
                Source: pxn91KhFLB.exe, g4K/Dj6.csLarge array initialization: .cctor: array initializer size 4259
                Source: pxn91KhFLB.exe, k0N/Ee6.csLarge array initialization: .cctor: array initializer size 4998
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C897C NtResumeThread,9_2_071C897C
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C8994 NtWriteVirtualMemory,9_2_071C8994
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C89A0 NtSetContextThread,9_2_071C89A0
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071CF778 NtWriteVirtualMemory,9_2_071CF778
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071CF618 NtResumeThread,9_2_071CF618
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C8928 NtResumeThread,9_2_071C8928
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C8958 NtSetContextThread,9_2_071C8958
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C894C NtSetContextThread,9_2_071C894C
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C8940 NtWriteVirtualMemory,9_2_071C8940
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C8964 NtResumeThread,9_2_071C8964
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C89B8 NtResumeThread,9_2_071C89B8
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C89AC NtSetContextThread,9_2_071C89AC
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071CF830 NtSetContextThread,9_2_071CF830
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C88E7 NtSetContextThread,9_2_071C88E7
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,13_2_00408836
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_06761140 CreateProcessAsUserW,0_2_06761140
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_001C7A330_2_001C7A33
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_0243003C0_2_0243003C
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_0243ED900_2_0243ED90
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_067600400_2_06760040
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_067628A00_2_067628A0
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_06760AC80_2_06760AC8
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_067617480_2_06761748
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_067634C00_2_067634C0
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_067628900_2_06762890
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_0677DE190_2_0677DE19
                Source: C:\Users\user\Desktop\pxn91KhFLB.exeCode function: 0_2_0677D6E90_2_0677D6E9
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_004F20B09_2_004F20B0
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_0265B29C9_2_0265B29C
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_0265C3109_2_0265C310
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_026599D09_2_026599D0
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_0265DFD09_2_0265DFD0
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071CB5409_2_071CB540
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071CEC509_2_071CEC50
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C2BA89_2_071C2BA8
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C3BE89_2_071C3BE8
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C22B89_2_071C22B8
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C6AA09_2_071C6AA0
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C98889_2_071C9888
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C3BD79_2_071C3BD7
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C22A99_2_071C22A9
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_071C98789_2_071C9878
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_075AB4E09_2_075AB4E0
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_075AEEC89_2_075AEEC8
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_075ABDB09_2_075ABDB0
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_075AB1989_2_075AB198
                Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 9_2_075A00069_2_075A0006
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404DDB12_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_0040BD8A12_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404E4C12_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404EBD12_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 12_2_00404F4E12_2_00404F4E
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 13_2_00404419