Loading ...

Play interactive tourEdit tour

Analysis Report BL Draft.exe

Overview

General Information

Sample Name:BL Draft.exe
Analysis ID:298736
MD5:dd7386e9dcb47aa9fc636f41f92a8b41
SHA1:4b2588935c0d0ab26cb51e905bd5ca87c0f48d5f
SHA256:742df88a1a378e32ee39558cca89f9b9df3f865c2ba33635e9e260fbe1377f1f
Tags:exeHawkEyeMaersk

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BL Draft.exe (PID: 6548 cmdline: 'C:\Users\user\Desktop\BL Draft.exe' MD5: DD7386E9DCB47AA9FC636F41F92A8B41)
    • schtasks.exe (PID: 7120 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kfvsUr' /XML 'C:\Users\user\AppData\Local\Temp\tmpF63D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • BL Draft.exe (PID: 5456 cmdline: {path} MD5: DD7386E9DCB47AA9FC636F41F92A8B41)
      • WerFault.exe (PID: 6588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 1856 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 764 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 3000 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • vbc.exe (PID: 4488 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
        • WerFault.exe (PID: 2856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 4328 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: DD7386E9DCB47AA9FC636F41F92A8B41)
    • schtasks.exe (PID: 4568 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kfvsUr' /XML 'C:\Users\user\AppData\Local\Temp\tmp80F8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • WindowsUpdate.exe (PID: 5332 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: DD7386E9DCB47AA9FC636F41F92A8B41)
    • schtasks.exe (PID: 6672 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kfvsUr' /XML 'C:\Users\user\AppData\Local\Temp\tmpB1BD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WindowsUpdate.exe (PID: 4632 cmdline: {path} MD5: DD7386E9DCB47AA9FC636F41F92A8B41)
      • WerFault.exe (PID: 2336 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 1968 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.368513655.00000000044D3000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    00000008.00000002.368383769.0000000004461000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b708:$key: HawkEyeKeylogger
      • 0x7d95a:$salt: 099u787978786
      • 0x7bd31:$string1: HawkEye_Keylogger
      • 0x7cb84:$string1: HawkEye_Keylogger
      • 0x7d8ba:$string1: HawkEye_Keylogger
      • 0x7c11a:$string2: holdermail.txt
      • 0x7c13a:$string2: holdermail.txt
      • 0x7c05c:$string3: wallet.dat
      • 0x7c074:$string3: wallet.dat
      • 0x7c08a:$string3: wallet.dat
      • 0x7d49c:$string4: Keylog Records
      • 0x7d7b4:$string4: Keylog Records
      • 0x7d9b2:$string5: do not script -->
      • 0x7b6f0:$string6: \pidloc.txt
      • 0x7b766:$string7: BSPLIT
      • 0x7b776:$string7: BSPLIT
      00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 66 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          8.2.BL Draft.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b908:$key: HawkEyeKeylogger
          • 0x7db5a:$salt: 099u787978786
          • 0x7bf31:$string1: HawkEye_Keylogger
          • 0x7cd84:$string1: HawkEye_Keylogger
          • 0x7daba:$string1: HawkEye_Keylogger
          • 0x7c31a:$string2: holdermail.txt
          • 0x7c33a:$string2: holdermail.txt
          • 0x7c25c:$string3: wallet.dat
          • 0x7c274:$string3: wallet.dat
          • 0x7c28a:$string3: wallet.dat
          • 0x7d69c:$string4: Keylog Records
          • 0x7d9b4:$string4: Keylog Records
          • 0x7dbb2:$string5: do not script -->
          • 0x7b8f0:$string6: \pidloc.txt
          • 0x7b966:$string7: BSPLIT
          • 0x7b976:$string7: BSPLIT
          8.2.BL Draft.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            8.2.BL Draft.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              8.2.BL Draft.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                8.2.BL Draft.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                • 0x7bf89:$hawkstr1: HawkEye Keylogger
                • 0x7cdca:$hawkstr1: HawkEye Keylogger
                • 0x7d0f9:$hawkstr1: HawkEye Keylogger
                • 0x7d254:$hawkstr1: HawkEye Keylogger
                • 0x7d3b7:$hawkstr1: HawkEye Keylogger
                • 0x7d674:$hawkstr1: HawkEye Keylogger
                • 0x7bb17:$hawkstr2: Dear HawkEye Customers!
                • 0x7d14c:$hawkstr2: Dear HawkEye Customers!
                • 0x7d2a3:$hawkstr2: Dear HawkEye Customers!
                • 0x7d40a:$hawkstr2: Dear HawkEye Customers!
                • 0x7bc38:$hawkstr3: HawkEye Logger Details:
                Click to see the 10 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Scheduled temp file as task from temp locationShow sources
                Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kfvsUr' /XML 'C:\Users\user\AppData\Local\Temp\tmpF63D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kfvsUr' /XML 'C:\Users\user\AppData\Local\Temp\tmpF63D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\BL Draft.exe' , ParentImage: C:\Users\user\Desktop\BL Draft.exe, ParentProcessId: 6548, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kfvsUr' /XML 'C:\Users\user\AppData\Local\Temp\tmpF63D.tmp', ProcessId: 7120

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: WindowsUpdate.exe.7008.22.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 33%
                Source: C:\Users\user\AppData\Roaming\kfvsUr.exeReversingLabs: Detection: 33%
                Multi AV Scanner detection for submitted fileShow sources
                Source: BL Draft.exeVirustotal: Detection: 30%Perma Link
                Source: BL Draft.exeReversingLabs: Detection: 33%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\kfvsUr.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: BL Draft.exeJoe Sandbox ML: detected
                Source: 8.2.BL Draft.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 8.2.BL Draft.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 32.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 32.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 22.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 22.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: BL Draft.exe, 00000008.00000002.361756039.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: BL Draft.exe, 00000008.00000002.361756039.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WerFault.exe, 00000010.00000003.322213026.0000000005AB0000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WerFault.exe, 00000010.00000003.322213026.0000000005AB0000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000020.00000002.455859954.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000020.00000002.455859954.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]8_2_07CAFE88
                Source: unknownDNS traffic detected: query: 209.183.8.0.in-addr.arpa replaycode: Name error (3)
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, BL Draft.exe, 00000008.00000002.368513655.00000000044D3000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.459716560.00000000041E0000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, BL Draft.exe, 00000008.00000002.368513655.00000000044D3000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.459716560.00000000041E0000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 209.183.8.0.in-addr.arpa
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, BL Draft.exe, 00000008.00000002.368513655.00000000044D3000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.459716560.00000000041E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: WerFault.exe, 00000010.00000003.344666253.0000000005251000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: WindowsUpdate.exe, 00000016.00000002.355161843.0000000002B21000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/foo
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, BL Draft.exe, 00000008.00000002.368513655.00000000044D3000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.459716560.00000000041E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                Source: BL Draft.exe, 00000001.00000002.282918915.0000000003687000.00000004.00000001.sdmp, BL Draft.exe, 00000008.00000002.365413939.0000000003461000.00000004.00000001.sdmp, WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.358832592.0000000003907000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.394342804.00000000032CB000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000016.00000002.355161843.0000000002B21000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.458702346.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                Source: WerFault.exe, 00000010.00000003.321427462.0000000005DB0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, BL Draft.exe, 00000008.00000002.361756039.0000000000402000.00000040.00000001.sdmp, WerFault.exe, 00000010.00000003.322213026.0000000005AB0000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.455859954.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: BL Draft.exe, 00000001.00000002.278548946.00000000014E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comicuJ
                Source: BL Draft.exe, 00000001.00000002.278548946.00000000014E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comionox
                Source: BL Draft.exe, 00000001.00000002.278548946.00000000014E7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comq
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: WindowsUpdate.exe, 00000020.00000002.459645938.0000000004179000.00000004.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: BL Draft.exe, 00000008.00000002.365413939.0000000003461000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.458702346.0000000003171000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: BL Draft.exe, 00000001.00000002.291549123.0000000005F10000.00000002.00000001.sdmp, BL Draft.exe, 00000008.00000002.373074144.0000000006680000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.395447170.0000000006150000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.409368361.0000000005DE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000020.00000002.463325911.0000000006350000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000003.322213026.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.287336560.0000000004CC5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.365413939.0000000003461000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000020.00000002.455859954.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000024.00000003.425571098.00000000050A0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.361756039.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000020.00000002.458702346.0000000003171000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 7008, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5332, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4632, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4328, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WerFault.exe PID: 6588, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BL Draft.exe PID: 5456, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: BL Draft.exe PID: 6548, type: MEMORY
                Source: Yara matchFile source: 8.2.BL Draft.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 32.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 22.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 8.2.BL Draft.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\BL Draft.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\BL Draft.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000010.00000003.322213026.0000000005AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000010.00000003.322213026.0000000005AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.287336560.0000000004CC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.287336560.0000000004CC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000008.00000002.365413939.0000000003461000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000020.00000002.455859954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000020.00000002.455859954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000024.00000003.425571098.00000000050A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000024.00000003.425571098.00000000050A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000008.00000002.361756039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000008.00000002.361756039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000020.00000002.458702346.0000000003171000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 8.2.BL Draft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 8.2.BL Draft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 32.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 32.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_00B220501_2_00B22050
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_02D3C1341_2_02D3C134
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_02D3E5781_2_02D3E578
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_02D3E5681_2_02D3E568
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C0E181_2_077C0E18
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C1CD01_2_077C1CD0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C4A581_2_077C4A58
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C41A81_2_077C41A8
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C79801_2_077C7980
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C20B01_2_077C20B0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C47781_2_077C4778
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C37701_2_077C3770
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C47881_2_077C4788
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C37801_2_077C3780
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C25681_2_077C2568
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C25581_2_077C2558
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C0DF51_2_077C0DF5
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C4CF01_2_077C4CF0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C4CE01_2_077C4CE0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C1CBF1_2_077C1CBF
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C12681_2_077C1268
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C12591_2_077C1259
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C4A481_2_077C4A48
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C411F1_2_077C411F
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C00071_2_077C0007
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C08F01_2_077C08F0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_077C40D91_2_077C40D9
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 1_2_00B260051_2_00B26005
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_00FF20508_2_00FF2050
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_0192B29C8_2_0192B29C
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_0192C3108_2_0192C310
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_0192B2908_2_0192B290
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_019299D08_2_019299D0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_0192DFD08_2_0192DFD0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_07CAB4E08_2_07CAB4E0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_07CAEEC88_2_07CAEEC8
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_07CABDB08_2_07CABDB0
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_07CAB1988_2_07CAB198
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_07CA00218_2_07CA0021
                Source: C:\Users\user\Desktop\BL Draft.exeCode function: 8_2_00FF60058_2_00FF6005
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_00D6205017_2_00D62050
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_0153C13417_2_0153C134
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_0153E57817_2_0153E578
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_0153E56817_2_0153E568
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E1CD017_2_072E1CD0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E4A5817_2_072E4A58
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E797017_2_072E7970
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E095017_2_072E0950
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E41A817_2_072E41A8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E20B017_2_072E20B0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E477817_2_072E4778
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E377017_2_072E3770
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E478817_2_072E4788
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E378017_2_072E3780
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E256817_2_072E2568
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E255B17_2_072E255B
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E0D9117_2_072E0D91
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E1CBF17_2_072E1CBF
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E4CE017_2_072E4CE0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E4CF017_2_072E4CF0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E126817_2_072E1268
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E4A4817_2_072E4A48
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E125917_2_072E1259
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E092217_2_072E0922
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E417317_2_072E4173
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E415217_2_072E4152
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_072E40D917_2_072E40D9
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_00D6600517_2_00D66005
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 19_2_008E205019_2_008E2050
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 19_2_02BBC13419_2_02BBC134
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 19_2_02BBE57819_2_02BBE578
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 19_2_02BBE56819_2_02BBE568
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 19_2_008E600519_2_008E6005
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 1856
                Source: BL Draft.exeBinary or memory string: OriginalFilename vs BL Draft.exe
                Source: BL Draft.exe, 00000001.00000002.280851397.0000000003471000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BL Draft.exe
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BL Draft.exe
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BL Draft.exe
                Source: BL Draft.exe, 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BL Draft.exe
                Source: BL Draft.exe, 00000001.00000002.296287419.000000000DC20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs BL Draft.exe
                Source: BL Draft.exe, 00000001.00000002.296287419.000000000DC20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs BL Draft.exe
                Source: BL Draft.exe, 00000001.00000002.287336560.0000000004CC5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHS.exe8 vs BL Draft.exe
                Source: BL Draft.exe, 00000001.00000002.296011400.000000000DB20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs BL Draft.exe
                Source: BL Draft.exeBinary or memory string: OriginalFilename vs BL Draft.exe
                Source: BL Draft.exe, 00000008.00000002.368513655.00000000044D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs BL Draft.exe
                Source: BL Draft.exe, 00000008.00000002.374408818.0000000008230000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs BL Draft.exe
                Source: BL Draft.exe, 00000008.00000002.368383769.0000000004461000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs BL Draft.exe
                Source: BL Draft.exe, 00000008.00000002.362253703.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs BL Draft.exe
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000016.00000002.352532293.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.284103084.00000000040D7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000013.00000002.400624871.00000000040CE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000010.00000003.322213026.0000000005AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000010.00000003.322213026.0000000005AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.287336560.0000000004CC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.287336560.0000000004CC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000008.00000002.365413939.0000000003461000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000020.00000002.455859954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000020.00000002.455859954.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000024.00000003.425571098.00000000050A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000024.00000003.425571098.00000000050A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000011.00000002.374315405.0000000004F45000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000008.00000002.361756039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000008.00000002.361756039.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000020.00000002.458702346.0000000003171000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 8.2.BL Draft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 8.2.BL Draft.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 32.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 32.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: BL Draft.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: kfvsUr.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: WindowsUpdate.exe.8.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 8.2.BL Draft.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 8.2.BL Draft.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 8.2.BL Draft.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 8.2.BL Draft.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 8.2.BL Draft.exe.400000.0.unpack, Form1.csBase64 encoded string: 'HYGinuP2W+wS+vkfHX79hl2vStbGLw3J+5Xsl+GnhDp9F4gBEJnUv5/nqV7ZWYvtqqFV2qAl3+H38NZH4iJ2Jw==', 'i4O7FYqpGut2ExYGGOwrdwkHCsxkl1hqaftLh+g8tuZF5n3euDzP0xcReF8ffTJSfqZzx99SZmhL14LSAmPnrw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 22.2.WindowsUpdate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'HYGinuP2W+wS+vkfHX79hl2vStbGLw3J+5Xsl+GnhDp9F4gBEJnUv5/nqV7ZWYvtqqFV2qAl3+H38NZH4iJ2Jw==', 'i4O7FYqpGut2ExYGGOwrdwkHCsxkl1hqaftLh+g8tuZF5n3euDzP0xcReF8ffTJSfqZzx99SZmhL14LSAmPnrw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@28/28@2/2
                Source: C:\Users\user\Desktop\BL Draft.exeFile created: C:\Users\user\AppData\Roaming\kfvsUr.exeJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5092:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_01
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess764
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5456
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4488
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4632
                Source: C:\Users\user\Desktop\BL Draft.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF63D.tmpJump to behavior
                Source: BL Draft.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ