Play interactive tour

Edit tour

Windows Analysis Report 201021.exe

Overview

General Information

Sample Name:	201021.exe
Analysis ID:	506137
MD5:	ff59b59d6fb138bd3a588d89ea0fa1d7
SHA1:	fad22ded5983e8d5a9bffa398c3281670e496f46
SHA256:	8e1c67e8ed76591ed779773be365b2b66440d958f1bf3556d4512f71836c3d2f
Tags:	exehawkeye
Infos:
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected MailPassView

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Malicious sample detected (through community Yara rule)

Detected HawkEye Rat

Sample uses process hollowing technique

Installs a global keyboard hook

Writes to foreign memory regions

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Tries to steal Mail credentials (via file registry)

Changes the view of files in windows explorer (hidden files and folders)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected WebBrowserPassView password recovery tool

.NET source code contains very large array initializations

Hides that the sample has been downloaded from the Internet (zone.identifier)

Tries to steal Mail credentials (via file access)

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

May infect USB drives

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Uses insecure TLS / SSL version for HTTPS connection

Contains long sleeps (>= 3 min)

Enables debug privileges

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

201021.exe (PID: 2168 cmdline: 'C:\Users\user\Desktop\201021.exe' MD5: FF59B59D6FB138BD3A588D89EA0FA1D7)

InstallUtil.exe (PID: 6672 cmdline: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

vbc.exe (PID: 7120 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

vbc.exe (PID: 7128 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)

WerFault.exe (PID: 2212 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6672 -s 1932 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000000.334047730.0000000002DCA000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25d0:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6ba:$key: HawkEyeKeylogger 0x7d8c8:$salt: 099u787978786 0x7bce3:$string1: HawkEye_Keylogger 0x7cb36:$string1: HawkEye_Keylogger 0x7d828:$string1: HawkEye_Keylogger 0x7c0cc:$string2: holdermail.txt 0x7c0ec:$string2: holdermail.txt 0x7c00e:$string3: wallet.dat 0x7c026:$string3: wallet.dat 0x7c03c:$string3: wallet.dat 0x7d40a:$string4: Keylog Records 0x7d722:$string4: Keylog Records 0x7d920:$string5: do not script --> 0x7b6a2:$string6: \pidloc.txt 0x7b718:$string7: BSPLIT 0x7b728:$string7: BSPLIT
0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd3b:$hawkstr1: HawkEye Keylogger 0x7cb7c:$hawkstr1: HawkEye Keylogger 0x7ceab:$hawkstr1: HawkEye Keylogger 0x7d006:$hawkstr1: HawkEye Keylogger 0x7d169:$hawkstr1: HawkEye Keylogger 0x7d3e2:$hawkstr1: HawkEye Keylogger 0x7b8c9:$hawkstr2: Dear HawkEye Customers! 0x7cefe:$hawkstr2: Dear HawkEye Customers! 0x7d055:$hawkstr2: Dear HawkEye Customers! 0x7d1bc:$hawkstr2: Dear HawkEye Customers! 0x7b9ea:$hawkstr3: HawkEye Logger Details:
0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000002.400261913.0000000002B31000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x37efc:$hawkstr1: HawkEye Keylogger 0x3b2a4:$hawkstr1: HawkEye Keylogger 0x3b624:$hawkstr1: HawkEye Keylogger 0x3b9bc:$hawkstr1: HawkEye Keylogger 0x379b4:$hawkstr2: Dear HawkEye Customers! 0x3b304:$hawkstr2: Dear HawkEye Customers! 0x3b684:$hawkstr2: Dear HawkEye Customers! 0x37ae2:$hawkstr3: HawkEye Logger Details:
0000000A.00000000.334186783.0000000003B39000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000A.00000000.334186783.0000000003B39000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.337600996.0000000007D10000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000A.00000000.337446969.0000000007CA0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000A.00000000.344058983.0000000003B39000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000A.00000000.344058983.0000000003B39000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.341956541.0000000002DDA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000000.347217323.0000000007D10000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6ba:$key: HawkEyeKeylogger 0x7d8c8:$salt: 099u787978786 0x7bce3:$string1: HawkEye_Keylogger 0x7cb36:$string1: HawkEye_Keylogger 0x7d828:$string1: HawkEye_Keylogger 0x7c0cc:$string2: holdermail.txt 0x7c0ec:$string2: holdermail.txt 0x7c00e:$string3: wallet.dat 0x7c026:$string3: wallet.dat 0x7c03c:$string3: wallet.dat 0x7d40a:$string4: Keylog Records 0x7d722:$string4: Keylog Records 0x7d920:$string5: do not script --> 0x7b6a2:$string6: \pidloc.txt 0x7b718:$string7: BSPLIT 0x7b728:$string7: BSPLIT
0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.332247492.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd3b:$hawkstr1: HawkEye Keylogger 0x7cb7c:$hawkstr1: HawkEye Keylogger 0x7ceab:$hawkstr1: HawkEye Keylogger 0x7d006:$hawkstr1: HawkEye Keylogger 0x7d169:$hawkstr1: HawkEye Keylogger 0x7d3e2:$hawkstr1: HawkEye Keylogger 0x7b8c9:$hawkstr2: Dear HawkEye Customers! 0x7cefe:$hawkstr2: Dear HawkEye Customers! 0x7d055:$hawkstr2: Dear HawkEye Customers! 0x7d1bc:$hawkstr2: Dear HawkEye Customers! 0x7b9ea:$hawkstr3: HawkEye Logger Details:
0000000A.00000002.401344855.0000000003B39000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000A.00000002.401344855.0000000003B39000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6ba:$key: HawkEyeKeylogger 0x7d8c8:$salt: 099u787978786 0x7bce3:$string1: HawkEye_Keylogger 0x7cb36:$string1: HawkEye_Keylogger 0x7d828:$string1: HawkEye_Keylogger 0x7c0cc:$string2: holdermail.txt 0x7c0ec:$string2: holdermail.txt 0x7c00e:$string3: wallet.dat 0x7c026:$string3: wallet.dat 0x7c03c:$string3: wallet.dat 0x7d40a:$string4: Keylog Records 0x7d722:$string4: Keylog Records 0x7d920:$string5: do not script --> 0x7b6a2:$string6: \pidloc.txt 0x7b718:$string7: BSPLIT 0x7b728:$string7: BSPLIT
0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.338660293.0000000000402000.00000040.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bd3b:$hawkstr1: HawkEye Keylogger 0x7cb7c:$hawkstr1: HawkEye Keylogger 0x7ceab:$hawkstr1: HawkEye Keylogger 0x7d006:$hawkstr1: HawkEye Keylogger 0x7d169:$hawkstr1: HawkEye Keylogger 0x7d3e2:$hawkstr1: HawkEye Keylogger 0x7b8c9:$hawkstr2: Dear HawkEye Customers! 0x7cefe:$hawkstr2: Dear HawkEye Customers! 0x7d055:$hawkstr2: Dear HawkEye Customers! 0x7d1bc:$hawkstr2: Dear HawkEye Customers! 0x7b9ea:$hawkstr3: HawkEye Logger Details:
00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0xfdb0a:$key: HawkEyeKeylogger 0x17fffc:$key: HawkEyeKeylogger 0x2022ba:$key: HawkEyeKeylogger 0xffd18:$salt: 099u787978786 0x18220a:$salt: 099u787978786 0x2044c8:$salt: 099u787978786 0xfe133:$string1: HawkEye_Keylogger 0xfef86:$string1: HawkEye_Keylogger 0xffc78:$string1: HawkEye_Keylogger 0x180625:$string1: HawkEye_Keylogger 0x181478:$string1: HawkEye_Keylogger 0x18216a:$string1: HawkEye_Keylogger 0x2028e3:$string1: HawkEye_Keylogger 0x203736:$string1: HawkEye_Keylogger 0x204428:$string1: HawkEye_Keylogger 0xfe51c:$string2: holdermail.txt 0xfe53c:$string2: holdermail.txt 0x180a0e:$string2: holdermail.txt 0x180a2e:$string2: holdermail.txt 0x202ccc:$string2: holdermail.txt 0x202cec:$string2: holdermail.txt
00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xfe18b:$hawkstr1: HawkEye Keylogger 0xfefcc:$hawkstr1: HawkEye Keylogger 0xff2fb:$hawkstr1: HawkEye Keylogger 0xff456:$hawkstr1: HawkEye Keylogger 0xff5b9:$hawkstr1: HawkEye Keylogger 0xff832:$hawkstr1: HawkEye Keylogger 0x18067d:$hawkstr1: HawkEye Keylogger 0x1814be:$hawkstr1: HawkEye Keylogger 0x1817ed:$hawkstr1: HawkEye Keylogger 0x181948:$hawkstr1: HawkEye Keylogger 0x181aab:$hawkstr1: HawkEye Keylogger 0x181d24:$hawkstr1: HawkEye Keylogger 0x20293b:$hawkstr1: HawkEye Keylogger 0x20377c:$hawkstr1: HawkEye Keylogger 0x203aab:$hawkstr1: HawkEye Keylogger 0x203c06:$hawkstr1: HawkEye Keylogger 0x203d69:$hawkstr1: HawkEye Keylogger 0x203fe2:$hawkstr1: HawkEye Keylogger 0xfdd19:$hawkstr2: Dear HawkEye Customers! 0xff34e:$hawkstr2: Dear HawkEye Customers! 0xff4a5:$hawkstr2: Dear HawkEye Customers!
00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7c53c:$key: HawkEyeKeylogger 0xfe80c:$key: HawkEyeKeylogger 0x7e74a:$salt: 099u787978786 0x100a1a:$salt: 099u787978786 0x7cb65:$string1: HawkEye_Keylogger 0x7d9b8:$string1: HawkEye_Keylogger 0x7e6aa:$string1: HawkEye_Keylogger 0xfee35:$string1: HawkEye_Keylogger 0xffc88:$string1: HawkEye_Keylogger 0x10097a:$string1: HawkEye_Keylogger 0x7cf4e:$string2: holdermail.txt 0x7cf6e:$string2: holdermail.txt 0xff21e:$string2: holdermail.txt 0xff23e:$string2: holdermail.txt 0x7ce90:$string3: wallet.dat 0x7cea8:$string3: wallet.dat 0x7cebe:$string3: wallet.dat 0xff160:$string3: wallet.dat 0xff178:$string3: wallet.dat 0xff18e:$string3: wallet.dat 0x7e28c:$string4: Keylog Records
00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000001.00000002.305894961.00000000039BA000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7cbbd:$hawkstr1: HawkEye Keylogger 0x7d9fe:$hawkstr1: HawkEye Keylogger 0x7dd2d:$hawkstr1: HawkEye Keylogger 0x7de88:$hawkstr1: HawkEye Keylogger 0x7dfeb:$hawkstr1: HawkEye Keylogger 0x7e264:$hawkstr1: HawkEye Keylogger 0xfee8d:$hawkstr1: HawkEye Keylogger 0xffcce:$hawkstr1: HawkEye Keylogger 0xffffd:$hawkstr1: HawkEye Keylogger 0x100158:$hawkstr1: HawkEye Keylogger 0x1002bb:$hawkstr1: HawkEye Keylogger 0x100534:$hawkstr1: HawkEye Keylogger 0x7c74b:$hawkstr2: Dear HawkEye Customers! 0x7dd80:$hawkstr2: Dear HawkEye Customers! 0x7ded7:$hawkstr2: Dear HawkEye Customers! 0x7e03e:$hawkstr2: Dear HawkEye Customers! 0xfea1b:$hawkstr2: Dear HawkEye Customers! 0x100050:$hawkstr2: Dear HawkEye Customers! 0x1001a7:$hawkstr2: Dear HawkEye Customers! 0x10030e:$hawkstr2: Dear HawkEye Customers! 0x7c86c:$hawkstr3: HawkEye Logger Details:
0000000A.00000000.347141160.0000000007CA0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
0000000A.00000002.406066723.0000000007CA0000.00000004.00020000.sdmp	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1061a:$key: HawkEyeKeylogger 0x12828:$salt: 099u787978786 0x10c43:$string1: HawkEye_Keylogger 0x11a96:$string1: HawkEye_Keylogger 0x12788:$string1: HawkEye_Keylogger 0x1102c:$string2: holdermail.txt 0x1104c:$string2: holdermail.txt 0x10f6e:$string3: wallet.dat 0x10f86:$string3: wallet.dat 0x10f9c:$string3: wallet.dat 0x1236a:$string4: Keylog Records 0x12682:$string4: Keylog Records 0x12880:$string5: do not script --> 0x10602:$string6: \pidloc.txt 0x10678:$string7: BSPLIT 0x10688:$string7: BSPLIT
00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x10c9b:$hawkstr1: HawkEye Keylogger 0x11adc:$hawkstr1: HawkEye Keylogger 0x11e0b:$hawkstr1: HawkEye Keylogger 0x11f66:$hawkstr1: HawkEye Keylogger 0x120c9:$hawkstr1: HawkEye Keylogger 0x12342:$hawkstr1: HawkEye Keylogger 0x10829:$hawkstr2: Dear HawkEye Customers! 0x11e5e:$hawkstr2: Dear HawkEye Customers! 0x11fb5:$hawkstr2: Dear HawkEye Customers! 0x1211c:$hawkstr2: Dear HawkEye Customers! 0x1094a:$hawkstr3: HawkEye Logger Details:
0000000A.00000000.334072591.0000000002DDA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000F.00000002.351623076.0000000000400000.00000040.00000001.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000A.00000000.341915829.0000000002DCA000.00000004.00000001.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x25d0:$hawkstr1: HawkEye Keylogger 0x2088:$hawkstr2: Dear HawkEye Customers! 0x21b6:$hawkstr3: HawkEye Logger Details:
00000010.00000002.341034426.0000000000400000.00000040.00000001.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: 201021.exe PID: 2168	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: 201021.exe PID: 2168	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: 201021.exe PID: 2168	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: InstallUtil.exe PID: 6672	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: InstallUtil.exe PID: 6672	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: InstallUtil.exe PID: 6672	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 7128	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WerFault.exe PID: 2212	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Click to see the 53 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.0.InstallUtil.exe.3b39930.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.3b39930.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.409c0d.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.7ca0000.19.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.2.InstallUtil.exe.7ca0000.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.0.InstallUtil.exe.3b39930.8.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.201021.exe.3c5fec2.8.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.45fa72.14.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.400000.11.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8ba:$key: HawkEyeKeylogger 0x7dac8:$salt: 099u787978786 0x7bee3:$string1: HawkEye_Keylogger 0x7cd36:$string1: HawkEye_Keylogger 0x7da28:$string1: HawkEye_Keylogger 0x7c2cc:$string2: holdermail.txt 0x7c2ec:$string2: holdermail.txt 0x7c20e:$string3: wallet.dat 0x7c226:$string3: wallet.dat 0x7c23c:$string3: wallet.dat 0x7d60a:$string4: Keylog Records 0x7d922:$string4: Keylog Records 0x7db20:$string5: do not script --> 0x7b8a2:$string6: \pidloc.txt 0x7b918:$string7: BSPLIT 0x7b928:$string7: BSPLIT
10.0.InstallUtil.exe.400000.11.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.0.InstallUtil.exe.400000.11.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.400000.11.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.0.InstallUtil.exe.400000.11.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.400000.11.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf3b:$hawkstr1: HawkEye Keylogger 0x7cd7c:$hawkstr1: HawkEye Keylogger 0x7d0ab:$hawkstr1: HawkEye Keylogger 0x7d206:$hawkstr1: HawkEye Keylogger 0x7d369:$hawkstr1: HawkEye Keylogger 0x7d5e2:$hawkstr1: HawkEye Keylogger 0x7bac9:$hawkstr2: Dear HawkEye Customers! 0x7d0fe:$hawkstr2: Dear HawkEye Customers! 0x7d255:$hawkstr2: Dear HawkEye Customers! 0x7d3bc:$hawkstr2: Dear HawkEye Customers! 0x7bbea:$hawkstr3: HawkEye Logger Details:
10.2.InstallUtil.exe.400000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8ba:$key: HawkEyeKeylogger 0x7dac8:$salt: 099u787978786 0x7bee3:$string1: HawkEye_Keylogger 0x7cd36:$string1: HawkEye_Keylogger 0x7da28:$string1: HawkEye_Keylogger 0x7c2cc:$string2: holdermail.txt 0x7c2ec:$string2: holdermail.txt 0x7c20e:$string3: wallet.dat 0x7c226:$string3: wallet.dat 0x7c23c:$string3: wallet.dat 0x7d60a:$string4: Keylog Records 0x7d922:$string4: Keylog Records 0x7db20:$string5: do not script --> 0x7b8a2:$string6: \pidloc.txt 0x7b918:$string7: BSPLIT 0x7b928:$string7: BSPLIT
10.2.InstallUtil.exe.400000.0.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.400000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf3b:$hawkstr1: HawkEye Keylogger 0x7cd7c:$hawkstr1: HawkEye Keylogger 0x7d0ab:$hawkstr1: HawkEye Keylogger 0x7d206:$hawkstr1: HawkEye Keylogger 0x7d369:$hawkstr1: HawkEye Keylogger 0x7d5e2:$hawkstr1: HawkEye Keylogger 0x7bac9:$hawkstr2: Dear HawkEye Customers! 0x7d0fe:$hawkstr2: Dear HawkEye Customers! 0x7d255:$hawkstr2: Dear HawkEye Customers! 0x7d3bc:$hawkstr2: Dear HawkEye Customers! 0x7bbea:$hawkstr3: HawkEye Logger Details:
10.0.InstallUtil.exe.3b51b50.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.408208.13.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b2:$key: HawkEyeKeylogger 0x776c0:$salt: 099u787978786 0x75adb:$string1: HawkEye_Keylogger 0x7692e:$string1: HawkEye_Keylogger 0x77620:$string1: HawkEye_Keylogger 0x75ec4:$string2: holdermail.txt 0x75ee4:$string2: holdermail.txt 0x75e06:$string3: wallet.dat 0x75e1e:$string3: wallet.dat 0x75e34:$string3: wallet.dat 0x77202:$string4: Keylog Records 0x7751a:$string4: Keylog Records 0x77718:$string5: do not script --> 0x7549a:$string6: \pidloc.txt 0x75510:$string7: BSPLIT 0x75520:$string7: BSPLIT
10.0.InstallUtil.exe.408208.13.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.0.InstallUtil.exe.408208.13.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.408208.13.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.0.InstallUtil.exe.408208.13.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.408208.13.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b33:$hawkstr1: HawkEye Keylogger 0x76974:$hawkstr1: HawkEye Keylogger 0x76ca3:$hawkstr1: HawkEye Keylogger 0x76dfe:$hawkstr1: HawkEye Keylogger 0x76f61:$hawkstr1: HawkEye Keylogger 0x771da:$hawkstr1: HawkEye Keylogger 0x756c1:$hawkstr2: Dear HawkEye Customers! 0x76cf6:$hawkstr2: Dear HawkEye Customers! 0x76e4d:$hawkstr2: Dear HawkEye Customers! 0x76fb4:$hawkstr2: Dear HawkEye Customers! 0x757e2:$hawkstr3: HawkEye Logger Details:
10.0.InstallUtil.exe.409c0d.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.45fa72.4.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.3b39930.18.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.3b39930.18.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.3b51b50.17.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.3c0a05d.6.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.39c2a8f.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.3b51b50.7.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.3b39930.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.2.InstallUtil.exe.3b39930.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.3b51b50.8.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
16.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.2b8d4c0.16.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.2.InstallUtil.exe.45fa72.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.7ca0000.9.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.0.InstallUtil.exe.3b39930.18.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.408208.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b2:$key: HawkEyeKeylogger 0x776c0:$salt: 099u787978786 0x75adb:$string1: HawkEye_Keylogger 0x7692e:$string1: HawkEye_Keylogger 0x77620:$string1: HawkEye_Keylogger 0x75ec4:$string2: holdermail.txt 0x75ee4:$string2: holdermail.txt 0x75e06:$string3: wallet.dat 0x75e1e:$string3: wallet.dat 0x75e34:$string3: wallet.dat 0x77202:$string4: Keylog Records 0x7751a:$string4: Keylog Records 0x77718:$string5: do not script --> 0x7549a:$string6: \pidloc.txt 0x75510:$string7: BSPLIT 0x75520:$string7: BSPLIT
10.0.InstallUtil.exe.408208.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.0.InstallUtil.exe.408208.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.408208.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.0.InstallUtil.exe.408208.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.408208.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b33:$hawkstr1: HawkEye Keylogger 0x76974:$hawkstr1: HawkEye Keylogger 0x76ca3:$hawkstr1: HawkEye Keylogger 0x76dfe:$hawkstr1: HawkEye Keylogger 0x76f61:$hawkstr1: HawkEye Keylogger 0x771da:$hawkstr1: HawkEye Keylogger 0x756c1:$hawkstr2: Dear HawkEye Customers! 0x76cf6:$hawkstr2: Dear HawkEye Customers! 0x76e4d:$hawkstr2: Dear HawkEye Customers! 0x76fb4:$hawkstr2: Dear HawkEye Customers! 0x757e2:$hawkstr3: HawkEye Logger Details:
10.0.InstallUtil.exe.409c0d.12.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.7d10000.20.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.2.InstallUtil.exe.2b5b360.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.2.InstallUtil.exe.2b5b360.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.2.InstallUtil.exe.2b5b360.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0xdb9c:$hawkstr1: HawkEye Keylogger 0x10f44:$hawkstr1: HawkEye Keylogger 0x112c4:$hawkstr1: HawkEye Keylogger 0x1165c:$hawkstr1: HawkEye Keylogger 0xd654:$hawkstr2: Dear HawkEye Customers! 0x10fa4:$hawkstr2: Dear HawkEye Customers! 0x11324:$hawkstr2: Dear HawkEye Customers! 0xd782:$hawkstr3: HawkEye Logger Details:
1.2.201021.exe.39bac82.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8ba:$key: HawkEyeKeylogger 0xfdb8a:$key: HawkEyeKeylogger 0x7dac8:$salt: 099u787978786 0xffd98:$salt: 099u787978786 0x7bee3:$string1: HawkEye_Keylogger 0x7cd36:$string1: HawkEye_Keylogger 0x7da28:$string1: HawkEye_Keylogger 0xfe1b3:$string1: HawkEye_Keylogger 0xff006:$string1: HawkEye_Keylogger 0xffcf8:$string1: HawkEye_Keylogger 0x7c2cc:$string2: holdermail.txt 0x7c2ec:$string2: holdermail.txt 0xfe59c:$string2: holdermail.txt 0xfe5bc:$string2: holdermail.txt 0x7c20e:$string3: wallet.dat 0x7c226:$string3: wallet.dat 0x7c23c:$string3: wallet.dat 0xfe4de:$string3: wallet.dat 0xfe4f6:$string3: wallet.dat 0xfe50c:$string3: wallet.dat 0x7d60a:$string4: Keylog Records
1.2.201021.exe.39bac82.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x896f3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
1.2.201021.exe.39bac82.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.201021.exe.39bac82.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.201021.exe.39bac82.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.39bac82.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf3b:$hawkstr1: HawkEye Keylogger 0x7cd7c:$hawkstr1: HawkEye Keylogger 0x7d0ab:$hawkstr1: HawkEye Keylogger 0x7d206:$hawkstr1: HawkEye Keylogger 0x7d369:$hawkstr1: HawkEye Keylogger 0x7d5e2:$hawkstr1: HawkEye Keylogger 0xfe20b:$hawkstr1: HawkEye Keylogger 0xff04c:$hawkstr1: HawkEye Keylogger 0xff37b:$hawkstr1: HawkEye Keylogger 0xff4d6:$hawkstr1: HawkEye Keylogger 0xff639:$hawkstr1: HawkEye Keylogger 0xff8b2:$hawkstr1: HawkEye Keylogger 0x7bac9:$hawkstr2: Dear HawkEye Customers! 0x7d0fe:$hawkstr2: Dear HawkEye Customers! 0x7d255:$hawkstr2: Dear HawkEye Customers! 0x7d3bc:$hawkstr2: Dear HawkEye Customers! 0xfdd99:$hawkstr2: Dear HawkEye Customers! 0xff3ce:$hawkstr2: Dear HawkEye Customers! 0xff525:$hawkstr2: Dear HawkEye Customers! 0xff68c:$hawkstr2: Dear HawkEye Customers! 0x7bbea:$hawkstr3: HawkEye Logger Details:
10.0.InstallUtil.exe.2b8d4c0.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
16.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.2.InstallUtil.exe.7d10000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.2.InstallUtil.exe.3b39930.7.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.7d10000.10.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.0.InstallUtil.exe.45fa72.14.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc48:$key: HawkEyeKeylogger 0x1fe56:$salt: 099u787978786 0x1e271:$string1: HawkEye_Keylogger 0x1f0c4:$string1: HawkEye_Keylogger 0x1fdb6:$string1: HawkEye_Keylogger 0x1e65a:$string2: holdermail.txt 0x1e67a:$string2: holdermail.txt 0x1e59c:$string3: wallet.dat 0x1e5b4:$string3: wallet.dat 0x1e5ca:$string3: wallet.dat 0x1f998:$string4: Keylog Records 0x1fcb0:$string4: Keylog Records 0x1feae:$string5: do not script --> 0x1dc30:$string6: \pidloc.txt 0x1dca6:$string7: BSPLIT 0x1dcb6:$string7: BSPLIT
10.0.InstallUtil.exe.45fa72.14.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.45fa72.14.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.0.InstallUtil.exe.45fa72.14.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2c9:$hawkstr1: HawkEye Keylogger 0x1f10a:$hawkstr1: HawkEye Keylogger 0x1f439:$hawkstr1: HawkEye Keylogger 0x1f594:$hawkstr1: HawkEye Keylogger 0x1f6f7:$hawkstr1: HawkEye Keylogger 0x1f970:$hawkstr1: HawkEye Keylogger 0x1de57:$hawkstr2: Dear HawkEye Customers! 0x1f48c:$hawkstr2: Dear HawkEye Customers! 0x1f5e3:$hawkstr2: Dear HawkEye Customers! 0x1f74a:$hawkstr2: Dear HawkEye Customers! 0x1df78:$hawkstr3: HawkEye Logger Details:
15.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.408208.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b2:$key: HawkEyeKeylogger 0x776c0:$salt: 099u787978786 0x75adb:$string1: HawkEye_Keylogger 0x7692e:$string1: HawkEye_Keylogger 0x77620:$string1: HawkEye_Keylogger 0x75ec4:$string2: holdermail.txt 0x75ee4:$string2: holdermail.txt 0x75e06:$string3: wallet.dat 0x75e1e:$string3: wallet.dat 0x75e34:$string3: wallet.dat 0x77202:$string4: Keylog Records 0x7751a:$string4: Keylog Records 0x77718:$string5: do not script --> 0x7549a:$string6: \pidloc.txt 0x75510:$string7: BSPLIT 0x75520:$string7: BSPLIT
10.2.InstallUtil.exe.408208.3.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.2.InstallUtil.exe.408208.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.2.InstallUtil.exe.408208.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.2.InstallUtil.exe.408208.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.408208.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b33:$hawkstr1: HawkEye Keylogger 0x76974:$hawkstr1: HawkEye Keylogger 0x76ca3:$hawkstr1: HawkEye Keylogger 0x76dfe:$hawkstr1: HawkEye Keylogger 0x76f61:$hawkstr1: HawkEye Keylogger 0x771da:$hawkstr1: HawkEye Keylogger 0x756c1:$hawkstr2: Dear HawkEye Customers! 0x76cf6:$hawkstr2: Dear HawkEye Customers! 0x76e4d:$hawkstr2: Dear HawkEye Customers! 0x76fb4:$hawkstr2: Dear HawkEye Customers! 0x757e2:$hawkstr3: HawkEye Logger Details:
10.0.InstallUtil.exe.45fa72.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc48:$key: HawkEyeKeylogger 0x1fe56:$salt: 099u787978786 0x1e271:$string1: HawkEye_Keylogger 0x1f0c4:$string1: HawkEye_Keylogger 0x1fdb6:$string1: HawkEye_Keylogger 0x1e65a:$string2: holdermail.txt 0x1e67a:$string2: holdermail.txt 0x1e59c:$string3: wallet.dat 0x1e5b4:$string3: wallet.dat 0x1e5ca:$string3: wallet.dat 0x1f998:$string4: Keylog Records 0x1fcb0:$string4: Keylog Records 0x1feae:$string5: do not script --> 0x1dc30:$string6: \pidloc.txt 0x1dca6:$string7: BSPLIT 0x1dcb6:$string7: BSPLIT
10.0.InstallUtil.exe.45fa72.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.45fa72.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.0.InstallUtil.exe.45fa72.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2c9:$hawkstr1: HawkEye Keylogger 0x1f10a:$hawkstr1: HawkEye Keylogger 0x1f439:$hawkstr1: HawkEye Keylogger 0x1f594:$hawkstr1: HawkEye Keylogger 0x1f6f7:$hawkstr1: HawkEye Keylogger 0x1f970:$hawkstr1: HawkEye Keylogger 0x1de57:$hawkstr2: Dear HawkEye Customers! 0x1f48c:$hawkstr2: Dear HawkEye Customers! 0x1f5e3:$hawkstr2: Dear HawkEye Customers! 0x1f74a:$hawkstr2: Dear HawkEye Customers! 0x1df78:$hawkstr3: HawkEye Logger Details:
10.2.InstallUtil.exe.3b51b50.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.409c0d.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73aad:$key: HawkEyeKeylogger 0x75cbb:$salt: 099u787978786 0x740d6:$string1: HawkEye_Keylogger 0x74f29:$string1: HawkEye_Keylogger 0x75c1b:$string1: HawkEye_Keylogger 0x744bf:$string2: holdermail.txt 0x744df:$string2: holdermail.txt 0x74401:$string3: wallet.dat 0x74419:$string3: wallet.dat 0x7442f:$string3: wallet.dat 0x757fd:$string4: Keylog Records 0x75b15:$string4: Keylog Records 0x75d13:$string5: do not script --> 0x73a95:$string6: \pidloc.txt 0x73b0b:$string7: BSPLIT 0x73b1b:$string7: BSPLIT
10.2.InstallUtil.exe.409c0d.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.2.InstallUtil.exe.409c0d.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.2.InstallUtil.exe.409c0d.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.409c0d.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7412e:$hawkstr1: HawkEye Keylogger 0x74f6f:$hawkstr1: HawkEye Keylogger 0x7529e:$hawkstr1: HawkEye Keylogger 0x753f9:$hawkstr1: HawkEye Keylogger 0x7555c:$hawkstr1: HawkEye Keylogger 0x757d5:$hawkstr1: HawkEye Keylogger 0x73cbc:$hawkstr2: Dear HawkEye Customers! 0x752f1:$hawkstr2: Dear HawkEye Customers! 0x75448:$hawkstr2: Dear HawkEye Customers! 0x755af:$hawkstr2: Dear HawkEye Customers! 0x73ddd:$hawkstr3: HawkEye Logger Details:
15.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.409c0d.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73aad:$key: HawkEyeKeylogger 0x75cbb:$salt: 099u787978786 0x740d6:$string1: HawkEye_Keylogger 0x74f29:$string1: HawkEye_Keylogger 0x75c1b:$string1: HawkEye_Keylogger 0x744bf:$string2: holdermail.txt 0x744df:$string2: holdermail.txt 0x74401:$string3: wallet.dat 0x74419:$string3: wallet.dat 0x7442f:$string3: wallet.dat 0x757fd:$string4: Keylog Records 0x75b15:$string4: Keylog Records 0x75d13:$string5: do not script --> 0x73a95:$string6: \pidloc.txt 0x73b0b:$string7: BSPLIT 0x73b1b:$string7: BSPLIT
10.0.InstallUtil.exe.409c0d.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.409c0d.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.0.InstallUtil.exe.409c0d.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.409c0d.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7412e:$hawkstr1: HawkEye Keylogger 0x74f6f:$hawkstr1: HawkEye Keylogger 0x7529e:$hawkstr1: HawkEye Keylogger 0x753f9:$hawkstr1: HawkEye Keylogger 0x7555c:$hawkstr1: HawkEye Keylogger 0x757d5:$hawkstr1: HawkEye Keylogger 0x73cbc:$hawkstr2: Dear HawkEye Customers! 0x752f1:$hawkstr2: Dear HawkEye Customers! 0x75448:$hawkstr2: Dear HawkEye Customers! 0x755af:$hawkstr2: Dear HawkEye Customers! 0x73ddd:$hawkstr3: HawkEye Logger Details:
10.0.InstallUtil.exe.3b51b50.17.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.2.InstallUtil.exe.45fa72.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc48:$key: HawkEyeKeylogger 0x1fe56:$salt: 099u787978786 0x1e271:$string1: HawkEye_Keylogger 0x1f0c4:$string1: HawkEye_Keylogger 0x1fdb6:$string1: HawkEye_Keylogger 0x1e65a:$string2: holdermail.txt 0x1e67a:$string2: holdermail.txt 0x1e59c:$string3: wallet.dat 0x1e5b4:$string3: wallet.dat 0x1e5ca:$string3: wallet.dat 0x1f998:$string4: Keylog Records 0x1fcb0:$string4: Keylog Records 0x1feae:$string5: do not script --> 0x1dc30:$string6: \pidloc.txt 0x1dca6:$string7: BSPLIT 0x1dcb6:$string7: BSPLIT
10.2.InstallUtil.exe.45fa72.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.2.InstallUtil.exe.45fa72.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.2.InstallUtil.exe.45fa72.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2c9:$hawkstr1: HawkEye Keylogger 0x1f10a:$hawkstr1: HawkEye Keylogger 0x1f439:$hawkstr1: HawkEye Keylogger 0x1f594:$hawkstr1: HawkEye Keylogger 0x1f6f7:$hawkstr1: HawkEye Keylogger 0x1f970:$hawkstr1: HawkEye Keylogger 0x1de57:$hawkstr2: Dear HawkEye Customers! 0x1f48c:$hawkstr2: Dear HawkEye Customers! 0x1f5e3:$hawkstr2: Dear HawkEye Customers! 0x1f74a:$hawkstr2: Dear HawkEye Customers! 0x1df78:$hawkstr3: HawkEye Logger Details:
10.0.InstallUtil.exe.400000.1.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8ba:$key: HawkEyeKeylogger 0x7dac8:$salt: 099u787978786 0x7bee3:$string1: HawkEye_Keylogger 0x7cd36:$string1: HawkEye_Keylogger 0x7da28:$string1: HawkEye_Keylogger 0x7c2cc:$string2: holdermail.txt 0x7c2ec:$string2: holdermail.txt 0x7c20e:$string3: wallet.dat 0x7c226:$string3: wallet.dat 0x7c23c:$string3: wallet.dat 0x7d60a:$string4: Keylog Records 0x7d922:$string4: Keylog Records 0x7db20:$string5: do not script --> 0x7b8a2:$string6: \pidloc.txt 0x7b918:$string7: BSPLIT 0x7b928:$string7: BSPLIT
10.0.InstallUtil.exe.400000.1.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
10.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.400000.1.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7bf3b:$hawkstr1: HawkEye Keylogger 0x7cd7c:$hawkstr1: HawkEye Keylogger 0x7d0ab:$hawkstr1: HawkEye Keylogger 0x7d206:$hawkstr1: HawkEye Keylogger 0x7d369:$hawkstr1: HawkEye Keylogger 0x7d5e2:$hawkstr1: HawkEye Keylogger 0x7bac9:$hawkstr2: Dear HawkEye Customers! 0x7d0fe:$hawkstr2: Dear HawkEye Customers! 0x7d255:$hawkstr2: Dear HawkEye Customers! 0x7d3bc:$hawkstr2: Dear HawkEye Customers! 0x7bbea:$hawkstr3: HawkEye Logger Details:
10.0.InstallUtil.exe.409c0d.12.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73aad:$key: HawkEyeKeylogger 0x75cbb:$salt: 099u787978786 0x740d6:$string1: HawkEye_Keylogger 0x74f29:$string1: HawkEye_Keylogger 0x75c1b:$string1: HawkEye_Keylogger 0x744bf:$string2: holdermail.txt 0x744df:$string2: holdermail.txt 0x74401:$string3: wallet.dat 0x74419:$string3: wallet.dat 0x7442f:$string3: wallet.dat 0x757fd:$string4: Keylog Records 0x75b15:$string4: Keylog Records 0x75d13:$string5: do not script --> 0x73a95:$string6: \pidloc.txt 0x73b0b:$string7: BSPLIT 0x73b1b:$string7: BSPLIT
10.0.InstallUtil.exe.409c0d.12.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
10.0.InstallUtil.exe.409c0d.12.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
10.0.InstallUtil.exe.409c0d.12.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
10.0.InstallUtil.exe.409c0d.12.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7412e:$hawkstr1: HawkEye Keylogger 0x74f6f:$hawkstr1: HawkEye Keylogger 0x7529e:$hawkstr1: HawkEye Keylogger 0x753f9:$hawkstr1: HawkEye Keylogger 0x7555c:$hawkstr1: HawkEye Keylogger 0x757d5:$hawkstr1: HawkEye Keylogger 0x73cbc:$hawkstr2: Dear HawkEye Customers! 0x752f1:$hawkstr2: Dear HawkEye Customers! 0x75448:$hawkstr2: Dear HawkEye Customers! 0x755af:$hawkstr2: Dear HawkEye Customers! 0x73ddd:$hawkstr3: HawkEye Logger Details:
1.2.201021.exe.39c2a8f.4.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73aad:$key: HawkEyeKeylogger 0xf5d7d:$key: HawkEyeKeylogger 0x75cbb:$salt: 099u787978786 0xf7f8b:$salt: 099u787978786 0x740d6:$string1: HawkEye_Keylogger 0x74f29:$string1: HawkEye_Keylogger 0x75c1b:$string1: HawkEye_Keylogger 0xf63a6:$string1: HawkEye_Keylogger 0xf71f9:$string1: HawkEye_Keylogger 0xf7eeb:$string1: HawkEye_Keylogger 0x744bf:$string2: holdermail.txt 0x744df:$string2: holdermail.txt 0xf678f:$string2: holdermail.txt 0xf67af:$string2: holdermail.txt 0x74401:$string3: wallet.dat 0x74419:$string3: wallet.dat 0x7442f:$string3: wallet.dat 0xf66d1:$string3: wallet.dat 0xf66e9:$string3: wallet.dat 0xf66ff:$string3: wallet.dat 0x757fd:$string4: Keylog Records
1.2.201021.exe.39c2a8f.4.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x818e6:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
1.2.201021.exe.39c2a8f.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.201021.exe.39c2a8f.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.201021.exe.39c2a8f.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.39c2a8f.4.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7412e:$hawkstr1: HawkEye Keylogger 0x74f6f:$hawkstr1: HawkEye Keylogger 0x7529e:$hawkstr1: HawkEye Keylogger 0x753f9:$hawkstr1: HawkEye Keylogger 0x7555c:$hawkstr1: HawkEye Keylogger 0x757d5:$hawkstr1: HawkEye Keylogger 0xf63fe:$hawkstr1: HawkEye Keylogger 0xf723f:$hawkstr1: HawkEye Keylogger 0xf756e:$hawkstr1: HawkEye Keylogger 0xf76c9:$hawkstr1: HawkEye Keylogger 0xf782c:$hawkstr1: HawkEye Keylogger 0xf7aa5:$hawkstr1: HawkEye Keylogger 0x73cbc:$hawkstr2: Dear HawkEye Customers! 0x752f1:$hawkstr2: Dear HawkEye Customers! 0x75448:$hawkstr2: Dear HawkEye Customers! 0x755af:$hawkstr2: Dear HawkEye Customers! 0xf5f8c:$hawkstr2: Dear HawkEye Customers! 0xf75c1:$hawkstr2: Dear HawkEye Customers! 0xf7718:$hawkstr2: Dear HawkEye Customers! 0xf787f:$hawkstr2: Dear HawkEye Customers! 0x73ddd:$hawkstr3: HawkEye Logger Details:
1.2.201021.exe.39bac82.3.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x79aba:$key: HawkEyeKeylogger 0x7bcc8:$salt: 099u787978786 0x7a0e3:$string1: HawkEye_Keylogger 0x7af36:$string1: HawkEye_Keylogger 0x7bc28:$string1: HawkEye_Keylogger 0x7a4cc:$string2: holdermail.txt 0x7a4ec:$string2: holdermail.txt 0x7a40e:$string3: wallet.dat 0x7a426:$string3: wallet.dat 0x7a43c:$string3: wallet.dat 0x7b80a:$string4: Keylog Records 0x7bb22:$string4: Keylog Records 0x7bd20:$string5: do not script --> 0x79aa2:$string6: \pidloc.txt 0x79b18:$string7: BSPLIT 0x79b28:$string7: BSPLIT
1.2.201021.exe.39bac82.3.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x5623:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
1.2.201021.exe.39bac82.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.201021.exe.39bac82.3.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.201021.exe.39bac82.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.39bac82.3.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7a13b:$hawkstr1: HawkEye Keylogger 0x7af7c:$hawkstr1: HawkEye Keylogger 0x7b2ab:$hawkstr1: HawkEye Keylogger 0x7b406:$hawkstr1: HawkEye Keylogger 0x7b569:$hawkstr1: HawkEye Keylogger 0x7b7e2:$hawkstr1: HawkEye Keylogger 0x79cc9:$hawkstr2: Dear HawkEye Customers! 0x7b2fe:$hawkstr2: Dear HawkEye Customers! 0x7b455:$hawkstr2: Dear HawkEye Customers! 0x7b5bc:$hawkstr2: Dear HawkEye Customers! 0x79dea:$hawkstr3: HawkEye Logger Details:
1.2.201021.exe.3c5fec2.8.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dc48:$key: HawkEyeKeylogger 0xa013a:$key: HawkEyeKeylogger 0x1223f8:$key: HawkEyeKeylogger 0x1fe56:$salt: 099u787978786 0xa2348:$salt: 099u787978786 0x124606:$salt: 099u787978786 0x1e271:$string1: HawkEye_Keylogger 0x1f0c4:$string1: HawkEye_Keylogger 0x1fdb6:$string1: HawkEye_Keylogger 0xa0763:$string1: HawkEye_Keylogger 0xa15b6:$string1: HawkEye_Keylogger 0xa22a8:$string1: HawkEye_Keylogger 0x122a21:$string1: HawkEye_Keylogger 0x123874:$string1: HawkEye_Keylogger 0x124566:$string1: HawkEye_Keylogger 0x1e65a:$string2: holdermail.txt 0x1e67a:$string2: holdermail.txt 0xa0b4c:$string2: holdermail.txt 0xa0b6c:$string2: holdermail.txt 0x122e0a:$string2: holdermail.txt 0x122e2a:$string2: holdermail.txt
1.2.201021.exe.3c5fec2.8.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x2bca3:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0xadf61:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
1.2.201021.exe.3c5fec2.8.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.201021.exe.3c5fec2.8.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.201021.exe.3c5fec2.8.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.3c5fec2.8.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e2c9:$hawkstr1: HawkEye Keylogger 0x1f10a:$hawkstr1: HawkEye Keylogger 0x1f439:$hawkstr1: HawkEye Keylogger 0x1f594:$hawkstr1: HawkEye Keylogger 0x1f6f7:$hawkstr1: HawkEye Keylogger 0x1f970:$hawkstr1: HawkEye Keylogger 0xa07bb:$hawkstr1: HawkEye Keylogger 0xa15fc:$hawkstr1: HawkEye Keylogger 0xa192b:$hawkstr1: HawkEye Keylogger 0xa1a86:$hawkstr1: HawkEye Keylogger 0xa1be9:$hawkstr1: HawkEye Keylogger 0xa1e62:$hawkstr1: HawkEye Keylogger 0x122a79:$hawkstr1: HawkEye Keylogger 0x1238ba:$hawkstr1: HawkEye Keylogger 0x123be9:$hawkstr1: HawkEye Keylogger 0x123d44:$hawkstr1: HawkEye Keylogger 0x123ea7:$hawkstr1: HawkEye Keylogger 0x124120:$hawkstr1: HawkEye Keylogger 0x1de57:$hawkstr2: Dear HawkEye Customers! 0x1f48c:$hawkstr2: Dear HawkEye Customers! 0x1f5e3:$hawkstr2: Dear HawkEye Customers!
1.2.201021.exe.3c08658.7.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b2:$key: HawkEyeKeylogger 0xf79a4:$key: HawkEyeKeylogger 0x179c62:$key: HawkEyeKeylogger 0x776c0:$salt: 099u787978786 0xf9bb2:$salt: 099u787978786 0x17be70:$salt: 099u787978786 0x75adb:$string1: HawkEye_Keylogger 0x7692e:$string1: HawkEye_Keylogger 0x77620:$string1: HawkEye_Keylogger 0xf7fcd:$string1: HawkEye_Keylogger 0xf8e20:$string1: HawkEye_Keylogger 0xf9b12:$string1: HawkEye_Keylogger 0x17a28b:$string1: HawkEye_Keylogger 0x17b0de:$string1: HawkEye_Keylogger 0x17bdd0:$string1: HawkEye_Keylogger 0x75ec4:$string2: holdermail.txt 0x75ee4:$string2: holdermail.txt 0xf83b6:$string2: holdermail.txt 0xf83d6:$string2: holdermail.txt 0x17a674:$string2: holdermail.txt 0x17a694:$string2: holdermail.txt
1.2.201021.exe.3c08658.7.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x8350d:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x1057cb:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
1.2.201021.exe.3c08658.7.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.201021.exe.3c08658.7.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.201021.exe.3c08658.7.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.3c08658.7.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b33:$hawkstr1: HawkEye Keylogger 0x76974:$hawkstr1: HawkEye Keylogger 0x76ca3:$hawkstr1: HawkEye Keylogger 0x76dfe:$hawkstr1: HawkEye Keylogger 0x76f61:$hawkstr1: HawkEye Keylogger 0x771da:$hawkstr1: HawkEye Keylogger 0xf8025:$hawkstr1: HawkEye Keylogger 0xf8e66:$hawkstr1: HawkEye Keylogger 0xf9195:$hawkstr1: HawkEye Keylogger 0xf92f0:$hawkstr1: HawkEye Keylogger 0xf9453:$hawkstr1: HawkEye Keylogger 0xf96cc:$hawkstr1: HawkEye Keylogger 0x17a2e3:$hawkstr1: HawkEye Keylogger 0x17b124:$hawkstr1: HawkEye Keylogger 0x17b453:$hawkstr1: HawkEye Keylogger 0x17b5ae:$hawkstr1: HawkEye Keylogger 0x17b711:$hawkstr1: HawkEye Keylogger 0x17b98a:$hawkstr1: HawkEye Keylogger 0x756c1:$hawkstr2: Dear HawkEye Customers! 0x76cf6:$hawkstr2: Dear HawkEye Customers! 0x76e4d:$hawkstr2: Dear HawkEye Customers!
1.2.201021.exe.39c108a.5.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x754b2:$key: HawkEyeKeylogger 0xf7782:$key: HawkEyeKeylogger 0x776c0:$salt: 099u787978786 0xf9990:$salt: 099u787978786 0x75adb:$string1: HawkEye_Keylogger 0x7692e:$string1: HawkEye_Keylogger 0x77620:$string1: HawkEye_Keylogger 0xf7dab:$string1: HawkEye_Keylogger 0xf8bfe:$string1: HawkEye_Keylogger 0xf98f0:$string1: HawkEye_Keylogger 0x75ec4:$string2: holdermail.txt 0x75ee4:$string2: holdermail.txt 0xf8194:$string2: holdermail.txt 0xf81b4:$string2: holdermail.txt 0x75e06:$string3: wallet.dat 0x75e1e:$string3: wallet.dat 0x75e34:$string3: wallet.dat 0xf80d6:$string3: wallet.dat 0xf80ee:$string3: wallet.dat 0xf8104:$string3: wallet.dat 0x77202:$string4: Keylog Records
1.2.201021.exe.39c108a.5.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x832eb:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
1.2.201021.exe.39c108a.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.201021.exe.39c108a.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.201021.exe.39c108a.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.39c108a.5.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75b33:$hawkstr1: HawkEye Keylogger 0x76974:$hawkstr1: HawkEye Keylogger 0x76ca3:$hawkstr1: HawkEye Keylogger 0x76dfe:$hawkstr1: HawkEye Keylogger 0x76f61:$hawkstr1: HawkEye Keylogger 0x771da:$hawkstr1: HawkEye Keylogger 0xf7e03:$hawkstr1: HawkEye Keylogger 0xf8c44:$hawkstr1: HawkEye Keylogger 0xf8f73:$hawkstr1: HawkEye Keylogger 0xf90ce:$hawkstr1: HawkEye Keylogger 0xf9231:$hawkstr1: HawkEye Keylogger 0xf94aa:$hawkstr1: HawkEye Keylogger 0x756c1:$hawkstr2: Dear HawkEye Customers! 0x76cf6:$hawkstr2: Dear HawkEye Customers! 0x76e4d:$hawkstr2: Dear HawkEye Customers! 0x76fb4:$hawkstr2: Dear HawkEye Customers! 0xf7991:$hawkstr2: Dear HawkEye Customers! 0xf8fc6:$hawkstr2: Dear HawkEye Customers! 0xf911d:$hawkstr2: Dear HawkEye Customers! 0xf9284:$hawkstr2: Dear HawkEye Customers! 0x757e2:$hawkstr3: HawkEye Logger Details:
1.2.201021.exe.3c0a05d.6.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73aad:$key: HawkEyeKeylogger 0xf5f9f:$key: HawkEyeKeylogger 0x17825d:$key: HawkEyeKeylogger 0x75cbb:$salt: 099u787978786 0xf81ad:$salt: 099u787978786 0x17a46b:$salt: 099u787978786 0x740d6:$string1: HawkEye_Keylogger 0x74f29:$string1: HawkEye_Keylogger 0x75c1b:$string1: HawkEye_Keylogger 0xf65c8:$string1: HawkEye_Keylogger 0xf741b:$string1: HawkEye_Keylogger 0xf810d:$string1: HawkEye_Keylogger 0x178886:$string1: HawkEye_Keylogger 0x1796d9:$string1: HawkEye_Keylogger 0x17a3cb:$string1: HawkEye_Keylogger 0x744bf:$string2: holdermail.txt 0x744df:$string2: holdermail.txt 0xf69b1:$string2: holdermail.txt 0xf69d1:$string2: holdermail.txt 0x178c6f:$string2: holdermail.txt 0x178c8f:$string2: holdermail.txt
1.2.201021.exe.3c0a05d.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x81b08:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df 0x103dc6:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
1.2.201021.exe.3c0a05d.6.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
1.2.201021.exe.3c0a05d.6.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
1.2.201021.exe.3c0a05d.6.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
1.2.201021.exe.3c0a05d.6.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7412e:$hawkstr1: HawkEye Keylogger 0x74f6f:$hawkstr1: HawkEye Keylogger 0x7529e:$hawkstr1: HawkEye Keylogger 0x753f9:$hawkstr1: HawkEye Keylogger 0x7555c:$hawkstr1: HawkEye Keylogger 0x757d5:$hawkstr1: HawkEye Keylogger 0xf6620:$hawkstr1: HawkEye Keylogger 0xf7461:$hawkstr1: HawkEye Keylogger 0xf7790:$hawkstr1: HawkEye Keylogger 0xf78eb:$hawkstr1: HawkEye Keylogger 0xf7a4e:$hawkstr1: HawkEye Keylogger 0xf7cc7:$hawkstr1: HawkEye Keylogger 0x1788de:$hawkstr1: HawkEye Keylogger 0x17971f:$hawkstr1: HawkEye Keylogger 0x179a4e:$hawkstr1: HawkEye Keylogger 0x179ba9:$hawkstr1: HawkEye Keylogger 0x179d0c:$hawkstr1: HawkEye Keylogger 0x179f85:$hawkstr1: HawkEye Keylogger 0x73cbc:$hawkstr2: Dear HawkEye Customers! 0x752f1:$hawkstr2: Dear HawkEye Customers! 0x75448:$hawkstr2: Dear HawkEye Customers!
10.2.InstallUtil.exe.2b7109c.6.raw.unpack	HKTL_NET_GUID_Stealer	Detects c# red/black-team tools via typelibguid	Arnim Rupp	0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
Click to see the 140 entries

Sigma Overview

System Summary:

Sigma detected: Possible Applocker Bypass

Show sources

Source: Process started

Author: juju4: Data: Command: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, CommandLine: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ParentCommandLine: 'C:\Users\user\Desktop\201021.exe' , ParentImage: C:\Users\user\Desktop\201021.exe, ParentProcessId: 2168, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6672

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 201021.exe

ReversingLabs: Detection: 40%

Machine Learning detection for sample

Show sources

Source: 201021.exe

Joe Sandbox ML: detected

Source: 10.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.InstallUtil.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.0.InstallUtil.exe.400000.11.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.0.InstallUtil.exe.400000.11.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.0.InstallUtil.exe.400000.1.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.0.InstallUtil.exe.400000.1.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.201021.exe.39bac82.3.unpack	Avira: Label: TR/Inject.vcoldi

Source: 201021.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 142.250.203.100:443 -> 192.168.2.7:49746 version: TLS 1.0

Source: 201021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: anagement.pdb source: WerFault.exe, 00000012.00000003.372347216.0000000005617000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.354853328.0000000003143000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbqk source: WERC408.tmp.dmp.18.dr
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb{q6 source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
Source:	Binary string: wbemcomn.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: NapiNSP.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.353326488.0000000003137000.00000004.00000001.sdmp
Source:	Binary string: System.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: nlaapi.pdbUl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb[y>!- source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbyq7 source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.353950302.0000000003149000.00000004.00000001.sdmp
Source:	Binary string: anagement.pdb" source: WerFault.exe, 00000012.00000003.372347216.0000000005617000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.406134139.0000000007D10000.00000004.00020000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000000.338774279.0000000000882000.00000002.00020000.sdmp, InstallUtil.exe.1.dr
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe
Source:	Binary string: mscorlib.pdbdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
Source:	Binary string: System.Configuration.pdbHH source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
Source:	Binary string: DWrite.pdbml source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: k0C:\Windows\mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
Source:	Binary string: System.Core.ni.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdbkl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdbl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb{x6 source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
Source:	Binary string: CMemoryExecute.pdb" source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp
Source:	Binary string: rasadhlp.pdbYl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: InstallUtil.exe, 0000000A.00000002.405748695.00000000073BB000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: DWrite.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: System.Management.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000012.00000003.354853328.0000000003143000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERC408.tmp.dmp.18.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
Source:	Binary string: InstallUtil.PDB source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERC408.tmp.dmp.18.dr
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: rawing.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: System.Management.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: pnrpnsp.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: InstallUtil.pdb source: 201021.exe, 00000001.00000002.307784889.00000000063D0000.00000004.00000001.sdmp, InstallUtil.exe, InstallUtil.exe.1.dr
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: CMemoryExecute.pdb source: WerFault.exe, 00000012.00000003.372422684.0000000005618000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: nlaapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb9lf source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb3ll source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: wmiutils.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: gdiplus.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: wbemprox.pdbgl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3 source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000012.00000003.353326488.0000000003137000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
Source:	Binary string: WLDP.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERC408.tmp.dmp.18.dr
Source:	Binary string: clrjit.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb~y> source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdbOl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbXy>" source: WerFault.exe, 00000012.00000003.372162520.00000000055DD000.00000004.00000040.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: fastprox.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: wbemsvc.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: winrnr.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: 201021.exe, 00000001.00000002.306231571.0000000003B80000.00000004.00000001.sdmp, InstallUtil.exe, 0000000A.00000002.398718518.0000000000402000.00000040.00000001.sdmp, vbc.exe
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: System.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000012.00000003.372500112.00000000055D0000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: WMINet_Utils.pdb source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: CMemoryExecute.pdbMZ source: WERC408.tmp.dmp.18.dr
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
Source:	Binary string: dhcpcsvc.pdbSl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000012.00000003.353950302.0000000003149000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000012.00000003.372300822.0000000005601000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 00000012.00000003.372191782.00000000055D1000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 00000012.00000003.372439909.00000000055D6000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp, WERC408.tmp.dmp.18.dr
Source:	Binary string: System.pdb4: source: WERC408.tmp.dmp.18.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000012.00000003.369583710.0000000005830000.00000004.00000001.sdmp
Source:	Binary string: b.pdb00CE6}IgQ source: InstallUtil.exe, 0000000A.00000000.339327398.0000000000FA0000.00000004.00000020.sdmp
Source:	Binary string: winnsi.pdbAl source: WerFault.exe, 00000012.00000003.372263564.00000000055E4000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000012.00000003.372220827.00000000055D9000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00000004.00000001.sdmp
Source:	Binary string: .pdb source: InstallUtil.exe, 0000000A.00000002.408810400.00000000084AA000.00000004.00000010.sdmp
Source:	Binary string: untime.Remoting.pdb source: WerFault.exe, 00000012.00000003.372285167.00000000055EA000.00

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 201021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance: