Loading ...

Play interactive tourEdit tour

Analysis Report PO102300.EXE

Overview

General Information

Sample Name:PO102300.EXE
Analysis ID:268506
MD5:b91f52847aa0c65685a0820a476828d8
SHA1:22a45bd1e8864f1cba07dd9a23e281b86ef825fb
SHA256:c567a805b717f0516a7f7a901ea26dbfa4d77d034b1f6644baef30c1fa4e99cf

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO102300.EXE (PID: 7100 cmdline: 'C:\Users\user\Desktop\PO102300.EXE' MD5: B91F52847AA0C65685A0820A476828D8)
    • PO102300.EXE (PID: 4380 cmdline: C:\Users\user\Desktop\PO102300.EXE MD5: B91F52847AA0C65685A0820A476828D8)
      • WerFault.exe (PID: 1984 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1948 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 3528 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 4624 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
    • powershell.exe (PID: 1324 cmdline: 'Powershell' Add-MpPreference -ExclusionPath ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WindowsUpdate.exe (PID: 6956 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B91F52847AA0C65685A0820A476828D8)
    • WindowsUpdate.exe (PID: 4820 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: B91F52847AA0C65685A0820A476828D8)
    • WindowsUpdate.exe (PID: 5640 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: B91F52847AA0C65685A0820A476828D8)
      • WerFault.exe (PID: 6484 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1948 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 5644 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B91F52847AA0C65685A0820A476828D8)
    • WindowsUpdate.exe (PID: 7036 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe MD5: B91F52847AA0C65685A0820A476828D8)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "Mail PassView", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x5b4dc:$key: HawkEyeKeylogger
  • 0x5d760:$salt: 099u787978786
  • 0x5bb3f:$string1: HawkEye_Keylogger
  • 0x5c992:$string1: HawkEye_Keylogger
  • 0x5d6c0:$string1: HawkEye_Keylogger
  • 0x5bf28:$string2: holdermail.txt
  • 0x5bf48:$string2: holdermail.txt
  • 0x5be6a:$string3: wallet.dat
  • 0x5be82:$string3: wallet.dat
  • 0x5be98:$string3: wallet.dat
  • 0x5d284:$string4: Keylog Records
  • 0x5d59c:$string4: Keylog Records
  • 0x5d7b8:$string5: do not script -->
  • 0x5b4c4:$string6: \pidloc.txt
  • 0x5b552:$string7: BSPLIT
  • 0x5b562:$string7: BSPLIT
0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x5bb97:$hawkstr1: HawkEye Keylogger
        • 0x5c9d8:$hawkstr1: HawkEye Keylogger
        • 0x5cd07:$hawkstr1: HawkEye Keylogger
        • 0x5ce62:$hawkstr1: HawkEye Keylogger
        • 0x5cfc5:$hawkstr1: HawkEye Keylogger
        • 0x5d25c:$hawkstr1: HawkEye Keylogger
        • 0x5b725:$hawkstr2: Dear HawkEye Customers!
        • 0x5cd5a:$hawkstr2: Dear HawkEye Customers!
        • 0x5ceb1:$hawkstr2: Dear HawkEye Customers!
        • 0x5d018:$hawkstr2: Dear HawkEye Customers!
        • 0x5b846:$hawkstr3: HawkEye Logger Details:
        Click to see the 80 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        25.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          15.2.PO102300.EXE.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b90c:$key: HawkEyeKeylogger
          • 0x7db90:$salt: 099u787978786
          • 0x7bf6f:$string1: HawkEye_Keylogger
          • 0x7cdc2:$string1: HawkEye_Keylogger
          • 0x7daf0:$string1: HawkEye_Keylogger
          • 0x7c358:$string2: holdermail.txt
          • 0x7c378:$string2: holdermail.txt
          • 0x7c29a:$string3: wallet.dat
          • 0x7c2b2:$string3: wallet.dat
          • 0x7c2c8:$string3: wallet.dat
          • 0x7d6b4:$string4: Keylog Records
          • 0x7d9cc:$string4: Keylog Records
          • 0x7dbe8:$string5: do not script -->
          • 0x7b8f4:$string6: \pidloc.txt
          • 0x7b982:$string7: BSPLIT
          • 0x7b992:$string7: BSPLIT
          15.2.PO102300.EXE.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            15.2.PO102300.EXE.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              15.2.PO102300.EXE.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                Click to see the 9 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, ParentCommandLine: C:\Users\user\Desktop\PO102300.EXE, ParentImage: C:\Users\user\Desktop\PO102300.EXE, ParentProcessId: 4380, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt', ProcessId: 3528

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: WindowsUpdate.exe.6956.23.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "Mail PassView", "mailpv"], "Version": ""}
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: PO102300.EXEJoe Sandbox ML: detected
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: PO102300.EXE, 0000000F.00000002.370756528.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: PO102300.EXE, 0000000F.00000002.370756528.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: PO102300.EXE, 0000000F.00000002.373833079.00000000032BC000.00000004.00000001.sdmpBinary or memory string: l[autorun]
                Source: WerFault.exe, 00000016.00000003.352464081.0000000005890000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WerFault.exe, 00000016.00000003.352464081.0000000005890000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WerFault.exe, 00000026.00000003.472970682.0000000004FC0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WerFault.exe, 00000026.00000003.472970682.0000000004FC0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00406EC3
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 4x nop then jmp 0558A630h15_2_0558A559
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 4x nop then jmp 0558A630h15_2_0558A568
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_05589EF5
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_05582B75
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_05589A2D
                Source: unknownDNS traffic detected: query: 82.148.8.0.in-addr.arpa replaycode: Name error (3)
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 82.148.8.0.in-addr.arpa
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: PO102300.EXE, 00000000.00000002.323471589.0000000000B12000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.446152379.0000000007820000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: PO102300.EXE, 00000000.00000002.324899617.0000000002ABE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.446152379.0000000007820000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.465897533.00000000030FF000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                Source: PO102300.EXE, 00000000.00000002.324899617.0000000002ABE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.446152379.0000000007820000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.465897533.00000000030FF000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                Source: PO102300.EXE, 00000000.00000003.237637911.0000000005926000.00000004.00000001.sdmpString found in binary or memory: http://en.wX
                Source: PO102300.EXE, 00000000.00000003.237347901.0000000005943000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: PO102300.EXE, 00000000.00000002.324899617.0000000002ABE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.446152379.0000000007820000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.465897533.00000000030FF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                Source: PO102300.EXE, 00000000.00000002.324899617.0000000002ABE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.446152379.0000000007820000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.465897533.00000000030FF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                Source: PO102300.EXE, 00000000.00000002.324899617.0000000002ABE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.446152379.0000000007820000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.465897533.00000000030FF000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                Source: PO102300.EXE, 00000000.00000002.324849699.0000000002AAA000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.372930542.0000000002FF1000.00000004.00000001.sdmp, WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.436653327.0000000003124000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.464770957.0000000002FD1000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000016.00000003.351876131.0000000005B90000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.471706199.00000000052C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.370756528.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000016.00000003.352464081.0000000005890000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WerFault.exe, 00000026.00000003.472970682.0000000004FC0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: PO102300.EXE, 00000000.00000003.240031184.0000000005927000.00000004.00000001.sdmp, PO102300.EXE, 00000000.00000003.240095394.0000000005927000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: PO102300.EXE, 00000000.00000003.248063279.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers#
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: PO102300.EXE, 00000000.00000003.243823238.000000000592D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: PO102300.EXE, 00000000.00000003.243823238.000000000592D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com1
                Source: PO102300.EXE, 00000000.00000003.243741943.000000000592C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: PO102300.EXE, 00000000.00000003.244621347.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comM.TTFr
                Source: PO102300.EXE, 00000000.00000003.244621347.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comV
                Source: PO102300.EXE, 00000000.00000003.248488056.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                Source: PO102300.EXE, 00000000.00000003.244621347.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: PO102300.EXE, 00000000.00000003.244621347.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                Source: PO102300.EXE, 00000000.00000003.248488056.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritoH
                Source: PO102300.EXE, 00000000.00000003.248488056.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comicc
                Source: PO102300.EXE, 00000000.00000003.244621347.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: PO102300.EXE, 00000000.00000003.239339182.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
                Source: PO102300.EXE, 00000000.00000003.239070982.0000000005927000.00000004.00000001.sdmp, PO102300.EXE, 00000000.00000003.239339182.0000000005927000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: PO102300.EXE, 00000000.00000003.239070982.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cncro
                Source: PO102300.EXE, 00000000.00000003.239339182.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnss
                Source: PO102300.EXE, 00000000.00000003.239339182.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-b
                Source: PO102300.EXE, 00000000.00000003.239239741.0000000005928000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntio
                Source: PO102300.EXE, 00000000.00000003.239339182.0000000005927000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnu-r
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: PO102300.EXE, 00000000.00000002.324899617.0000000002ABE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.436694835.0000000003139000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.465897533.00000000030FF000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com
                Source: PO102300.EXE, 00000000.00000003.241115265.000000000592D000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: PO102300.EXE, 00000000.00000003.240600082.000000000592B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.com
                Source: PO102300.EXE, 00000000.00000003.241115265.000000000592D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/://w
                Source: PO102300.EXE, 00000000.00000003.241115265.000000000592D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                Source: PO102300.EXE, 00000000.00000003.241115265.000000000592D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: PO102300.EXE, 00000000.00000003.241115265.000000000592D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1
                Source: WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: PO102300.EXE, 00000000.00000003.237524426.000000000593B000.00000004.00000001.sdmp, PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: PO102300.EXE, 00000000.00000003.237524426.000000000593B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
                Source: PO102300.EXE, 00000000.00000003.237524426.000000000593B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                Source: PO102300.EXE, 00000000.00000003.237524426.000000000593B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                Source: PO102300.EXE, 00000000.00000003.237524426.000000000593B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
                Source: PO102300.EXE, 00000000.00000003.241140826.0000000005954000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: PO102300.EXE, 0000000F.00000002.373037695.000000000305B000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: PO102300.EXE, 00000000.00000002.330717317.0000000005A10000.00000002.00000001.sdmp, PO102300.EXE, 0000000F.00000002.377279622.00000000062F0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.441579962.0000000006020000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.471842204.0000000005FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: PO102300.EXE, 00000000.00000002.324899617.0000000002ABE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.446152379.0000000007820000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.465897533.00000000030FF000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
                Source: WindowsUpdate.exe, 0000001A.00000002.464770957.0000000002FD1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
                Source: PO102300.EXE, 00000000.00000002.324849699.0000000002AAA000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.436653327.0000000003124000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.464770957.0000000002FD1000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
                Source: PO102300.EXE, 00000000.00000002.324849699.0000000002AAA000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/X
                Source: WindowsUpdate.exe, 0000001A.00000002.465488955.0000000003061000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/XZ
                Source: WindowsUpdate.exe, 00000017.00000002.436653327.0000000003124000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/Xn

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000016.00000003.352464081.0000000005890000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.370756528.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.436779196.0000000004011000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000017.00000002.436741797.0000000003159000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.324974259.0000000002ADE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000003.472970682.0000000004FC0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.466918088.0000000004101000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.373674833.000000000328A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.322812570.0000000003BAD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.373724288.000000000329A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001A.00000002.466018246.000000000311F000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6956, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5644, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 1984, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 7036, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO102300.EXE PID: 7100, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PO102300.EXE PID: 4380, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6484, type: MEMORY
                Source: Yara matchFile source: 15.2.PO102300.EXE.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 39.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 15.2.PO102300.EXE.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\PO102300.EXEWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PO102300.EXEJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,24_2_0040AC8A
                Source: C:\Users\user\Desktop\PO102300.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWindow created: window name: CLIPBRDWNDCLASS

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000016.00000003.352464081.0000000005890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000016.00000003.352464081.0000000005890000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.370756528.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.370756528.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000017.00000002.436779196.0000000004011000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000017.00000002.436779196.0000000004011000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000017.00000002.436741797.0000000003159000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000017.00000002.436741797.0000000003159000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.324974259.0000000002ADE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.324974259.0000000002ADE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000026.00000003.472970682.0000000004FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000026.00000003.472970682.0000000004FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001A.00000002.466918088.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001A.00000002.466918088.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.373674833.000000000328A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000003.322812570.0000000003BAD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000003.322812570.0000000003BAD000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.373724288.000000000329A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000001A.00000002.466018246.000000000311F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000001A.00000002.466018246.000000000311F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.PO102300.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.PO102300.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 39.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 39.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_005E62440_2_005E6244
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_005E63040_2_005E6304
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_00FE42600_2_00FE4260
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_00FE42500_2_00FE4250
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_00FED2C40_2_00FED2C4
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_00FE3F780_2_00FE3F78
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_00FE3F670_2_00FE3F67
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_04ED00400_2_04ED0040
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_04ED001F0_2_04ED001F
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_04EDFB100_2_04EDFB10
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 0_2_071F5AC00_2_071F5AC0
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 15_2_00C6624415_2_00C66244
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 15_2_00C6630415_2_00C66304
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 15_2_0163B29C15_2_0163B29C
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 15_2_0163C31015_2_0163C310
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 15_2_0163B29015_2_0163B290
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 15_2_016399D015_2_016399D0
                Source: C:\Users\user\Desktop\PO102300.EXECode function: 15_2_0163DFD015_2_0163DFD0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_00CC624423_2_00CC6244
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_00CC630423_2_00CC6304
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_0143426023_2_01434260
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_0143425023_2_01434250
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_0143D2C423_2_0143D2C4
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_01433F6723_2_01433F67
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_01433F7823_2_01433F78
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 23_2_074D5F7823_2_074D5F78
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404DDB24_2_00404DDB
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040BD8A24_2_0040BD8A
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404E4C24_2_00404E4C
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404EBD24_2_00404EBD
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_00404F4E24_2_00404F4E
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 26_2_00C8624426_2_00C86244
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 26_2_00C8630426_2_00C86304
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 26_2_0153426026_2_01534260
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 26_2_0153425026_2_01534250
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 26_2_0153D2C426_2_0153D2C4
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 26_2_01533F7826_2_01533F78
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 26_2_01533F6726_2_01533F67
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 26_2_07495AC026_2_07495AC0
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 1948
                Source: PO102300.EXE, 00000000.00000002.325158229.0000000003991000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFwxilqqz.dll< vs PO102300.EXE
                Source: PO102300.EXE, 00000000.00000002.335014869.0000000007610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO102300.EXE
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO102300.EXE
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO102300.EXE
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO102300.EXE
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PO102300.EXE
                Source: PO102300.EXE, 00000000.00000002.323167039.000000000064C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_po1023001.exe4 vs PO102300.EXE
                Source: PO102300.EXE, 0000000F.00000002.372930542.0000000002FF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO102300.EXE
                Source: PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs PO102300.EXE
                Source: PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO102300.EXE
                Source: PO102300.EXE, 0000000F.00000000.321518360.0000000000CCC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLime_po1023001.exe4 vs PO102300.EXE
                Source: PO102300.EXE, 0000000F.00000002.371450430.000000000139A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO102300.EXE
                Source: PO102300.EXE, 0000000F.00000002.370834364.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs PO102300.EXE
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000016.00000003.352464081.0000000005890000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000016.00000003.352464081.0000000005890000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.370756528.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.370756528.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000017.00000002.436779196.0000000004011000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000017.00000002.436779196.0000000004011000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000017.00000002.436741797.0000000003159000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000017.00000002.436741797.0000000003159000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.324974259.0000000002ADE000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.324974259.0000000002ADE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000026.00000003.472970682.0000000004FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000026.00000003.472970682.0000000004FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001A.00000002.466918088.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001A.00000002.466918088.0000000004101000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.373674833.000000000328A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000003.322812570.0000000003BAD000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000003.322812570.0000000003BAD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.373724288.000000000329A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000001A.00000002.466018246.000000000311F000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000001A.00000002.466018246.000000000311F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.PO102300.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.PO102300.EXE.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 39.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 39.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: PO102300.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: vlc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: WindowsUpdate.exe.15.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: PO102300.EXE, Dk9gUMy7y2lBOYLAO1/q4Mx5u6OuYFIwDZ3eq.csCryptographic APIs: 'CreateDecryptor'
                Source: vlc.exe.0.dr, Dk9gUMy7y2lBOYLAO1/q4Mx5u6OuYFIwDZ3eq.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.PO102300.EXE.5e0000.0.unpack, Dk9gUMy7y2lBOYLAO1/q4Mx5u6OuYFIwDZ3eq.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.PO102300.EXE.5e0000.0.unpack, Dk9gUMy7y2lBOYLAO1/q4Mx5u6OuYFIwDZ3eq.csCryptographic APIs: 'CreateDecryptor'
                Source: WindowsUpdate.exe.15.dr, Dk9gUMy7y2lBOYLAO1/q4Mx5u6OuYFIwDZ3eq.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.PO102300.EXE.c60000.1.unpack, Dk9gUMy7y2lBOYLAO1/q4Mx5u6OuYFIwDZ3eq.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.PO102300.EXE.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 15.2.PO102300.EXE.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 15.2.PO102300.EXE.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 15.2.PO102300.EXE.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 15.2.PO102300.EXE.400000.0.unpack, Form1.csBase64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@22/22@2/2
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 24_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,24_2_0040ED0B
                Source: C:\Users\user\Desktop\PO102300.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLANJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6652:120:WilError_01
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4380
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5640
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ubiuymgc.5js.ps1Jump to behavior
                Source: PO102300.EXEStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\PO102300.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\PO102300.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\PO102300.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\PO102300.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PO102300.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PO102300.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\PO102300.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: PO102300.EXE, 00000000.00000002.325323993.0000000003AC1000.00000004.00000001.sdmp, PO102300.EXE, 0000000F.00000002.374023135.0000000003FF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000003.433754985.00000000041A9000.00000004.00000001.sdmp, vbc.exe, 00000019.00000002.503553530.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000003.460780333.00000000041ED000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000027.00000002.499418030.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Users\user\Desktop\PO102300.EXEFile read: C:\Users\user\Desktop\PO102300.EXEJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PO102300.EXE 'C:\Users\user\Desktop\PO102300.EXE'
                Source: unknownProcess created: C:\Users\user\Desktop\PO102300.EXE C:\Users\user\Desktop\PO102300.EXE
                Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell' Add-MpPreference -ExclusionPath ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe''
                Source: unknown<