Loading ...

Play interactive tourEdit tour

Analysis Report Order Specifications.exe

Overview

General Information

Sample Name:Order Specifications.exe
Analysis ID:299013
MD5:05a63c79efc6cf8a8b2267acb30ccd3b
SHA1:35337c5829cbed7fed441175acb2e0fef414e3ac
SHA256:8e4ceb651508d097ba20fbb82af157ea25bc12e32caaf7d02247646e4e3c0629
Tags:HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Order Specifications.exe (PID: 6964 cmdline: 'C:\Users\user\Desktop\Order Specifications.exe' MD5: 05A63C79EFC6CF8A8B2267ACB30CCD3B)
    • Order Specifications.exe (PID: 7040 cmdline: {path} MD5: 05A63C79EFC6CF8A8B2267ACB30CCD3B)
      • WerFault.exe (PID: 5780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1996 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 6944 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 05A63C79EFC6CF8A8B2267ACB30CCD3B)
    • WindowsUpdate.exe (PID: 5712 cmdline: {path} MD5: 05A63C79EFC6CF8A8B2267ACB30CCD3B)
      • WerFault.exe (PID: 7164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1996 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 4688 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 05A63C79EFC6CF8A8B2267ACB30CCD3B)
    • WindowsUpdate.exe (PID: 6580 cmdline: {path} MD5: 05A63C79EFC6CF8A8B2267ACB30CCD3B)
      • WerFault.exe (PID: 6016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 1296 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.236772436.00000000030AA000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
    00000001.00000002.236772436.00000000030AA000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
    • 0x25d0:$hawkstr1: HawkEye Keylogger
    • 0x2088:$hawkstr2: Dear HawkEye Customers!
    • 0x21b6:$hawkstr3: HawkEye Logger Details:
    0000000D.00000002.295014306.0000000002E4A000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000D.00000002.295014306.0000000002E4A000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
      • 0x25d0:$hawkstr1: HawkEye Keylogger
      • 0x2088:$hawkstr2: Dear HawkEye Customers!
      • 0x21b6:$hawkstr3: HawkEye Logger Details:
      00000001.00000002.237131394.0000000003E19000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        Click to see the 60 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        13.2.WindowsUpdate.exe.3c24000.2.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          13.2.WindowsUpdate.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x7b908:$key: HawkEyeKeylogger
          • 0x7db5a:$salt: 099u787978786
          • 0x7bf31:$string1: HawkEye_Keylogger
          • 0x7cd84:$string1: HawkEye_Keylogger
          • 0x7daba:$string1: HawkEye_Keylogger
          • 0x7c31a:$string2: holdermail.txt
          • 0x7c33a:$string2: holdermail.txt
          • 0x7c25c:$string3: wallet.dat
          • 0x7c274:$string3: wallet.dat
          • 0x7c28a:$string3: wallet.dat
          • 0x7d69c:$string4: Keylog Records
          • 0x7d9b4:$string4: Keylog Records
          • 0x7dbb2:$string5: do not script -->
          • 0x7b8f0:$string6: \pidloc.txt
          • 0x7b966:$string7: BSPLIT
          • 0x7b976:$string7: BSPLIT
          13.2.WindowsUpdate.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            13.2.WindowsUpdate.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              13.2.WindowsUpdate.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                Click to see the 12 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: WindowsUpdate.exe.5712.13.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv", "WebBrowserPassView"], "Version": ""}
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: Order Specifications.exeJoe Sandbox ML: detected
                Source: 1.2.Order Specifications.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.Order Specifications.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 15.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 15.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]1_2_07B1FE8A
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]13_2_0753FE8A
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]13_2_07CC26D9
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]13_2_07CC04C4
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]13_2_07CC2BA1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]13_2_07CC433A
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]13_2_07CC326B
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]13_2_07CC2835
                Source: unknownDNS traffic detected: query: 231.58.0.0.in-addr.arpa replaycode: Name error (3)
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: 231.58.0.0.in-addr.arpa
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000003.208194875.0000000005F4B000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Order Specifications.exe, 00000001.00000003.208008502.0000000005F4B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com/
                Source: WindowsUpdate.exe, 0000000F.00000002.319705634.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/foo
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: Order Specifications.exe, 00000001.00000002.236502532.0000000002E11000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.294708011.0000000002BB1000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.319705634.0000000003321000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Order Specifications.exe, 00000001.00000003.210072304.0000000005F49000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Order Specifications.exe, 00000001.00000003.210304679.0000000005F47000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comb4
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Order Specifications.exe, 00000001.00000003.212211795.0000000005F3E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Order Specifications.exe, 00000001.00000003.213054440.0000000005F6A000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000003.213006227.0000000005F6A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Order Specifications.exe, 00000001.00000002.236374041.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma~
                Source: Order Specifications.exe, 00000001.00000002.236374041.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comceva
                Source: Order Specifications.exe, 00000001.00000002.236374041.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comf
                Source: Order Specifications.exe, 00000001.00000002.236374041.00000000012F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commcoml
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Order Specifications.exe, 00000001.00000003.207685308.0000000005F4B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: WindowsUpdate.exe, 0000000D.00000002.294963558.0000000002DD7000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.294708011.0000000002BB1000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                Source: WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Order Specifications.exe, 00000001.00000003.208244342.0000000005F4B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Order Specifications.exe, 00000001.00000002.240285781.0000000007142000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.298658019.0000000005EC0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected HawkEye KeyloggerShow sources
                Source: Yara matchFile source: 00000001.00000002.236772436.00000000030AA000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.295014306.0000000002E4A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.236502532.0000000002E11000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.236782232.00000000030BA000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.294708011.0000000002BB1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.295028435.0000000002E5A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 5712, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6580, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 6944, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WindowsUpdate.exe PID: 4688, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Order Specifications.exe PID: 6964, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Order Specifications.exe PID: 7040, type: MEMORY
                Source: Yara matchFile source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 15.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Order Specifications.exe.400000.0.unpack, type: UNPACKEDPE
                Contains functionality to log keystrokes (.Net Source)Show sources
                Source: 1.2.Order Specifications.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Source: 15.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs.Net Code: HookKeyboard
                Contains functionality to register a low level keyboard hookShow sources
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_07CC04E4 SetWindowsHookExA 0000000D,00000000,?,?13_2_07CC04E4
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\Desktop\Order Specifications.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Order Specifications.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to behavior

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000001.00000002.236772436.00000000030AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.295014306.0000000002E4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.236502532.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000D.00000002.294708011.0000000002BB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 15.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 15.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Source: 1.2.Order Specifications.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                Source: 1.2.Order Specifications.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Order Specifications.exe
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_0170C21C0_2_0170C21C
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_0170EBF80_2_0170EBF8
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_0170EBE90_2_0170EBE9
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051214E00_2_051214E0
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051243000_2_05124300
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051214D00_2_051214D0
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051217DB0_2_051217DB
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051217E00_2_051217E0
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051211D80_2_051211D8
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051211C80_2_051211C8
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051200060_2_05120006
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_051200400_2_05120040
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_056086530_2_05608653
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_056091700_2_05609170
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_0560A0A80_2_0560A0A8
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 0_2_05605AA00_2_05605AA0
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_012DB29C1_2_012DB29C
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_012DC3101_2_012DC310
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_012DB1E91_2_012DB1E9
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_012DB2901_2_012DB290
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_012D99D01_2_012D99D0
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_012DDFD01_2_012DDFD0
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_07B1EEC81_2_07B1EEC8
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_07B1BDB01_2_07B1BDB0
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_07B1B4E01_2_07B1B4E0
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_07B1B1981_2_07B1B198
                Source: C:\Users\user\Desktop\Order Specifications.exeCode function: 1_2_07B100261_2_07B10026
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_0127C21C9_2_0127C21C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_0127EBE99_2_0127EBE9
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_0127EBF89_2_0127EBF8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_02AC43009_2_02AC4300
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_02AC00069_2_02AC0006
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_02AC00409_2_02AC0040
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_02AC11C89_2_02AC11C8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_02AC11D89_2_02AC11D8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_02AC17E09_2_02AC17E0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_02AC17DB9_2_02AC17DB
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 9_2_02AC17D19_2_02AC17D1
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0127B29C13_2_0127B29C
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0127C31013_2_0127C310
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0127B1F213_2_0127B1F2
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0127B29013_2_0127B290
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_012799D013_2_012799D0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0127DFD013_2_0127DFD0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0753B4E013_2_0753B4E0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0753EEC813_2_0753EEC8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0753BDB013_2_0753BDB0
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0753B19813_2_0753B198
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_0753002613_2_07530026
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_07CC3BE813_2_07CC3BE8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_07CC2BA813_2_07CC2BA8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_07CC22B813_2_07CC22B8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_07CC794313_2_07CC7943
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_07CC3BD713_2_07CC3BD7
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 13_2_07CC22A913_2_07CC22A9
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1996
                Source: Order Specifications.exeBinary or memory string: OriginalFilename vs Order Specifications.exe
                Source: Order Specifications.exe, 00000000.00000000.193984009.0000000000C72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY~ vs Order Specifications.exe
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Order Specifications.exe
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Order Specifications.exe
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Order Specifications.exe
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Order Specifications.exe
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Order Specifications.exe
                Source: Order Specifications.exeBinary or memory string: OriginalFilename vs Order Specifications.exe
                Source: Order Specifications.exe, 00000001.00000000.204079840.0000000000932000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyY~ vs Order Specifications.exe
                Source: Order Specifications.exe, 00000001.00000002.237131394.0000000003E19000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Order Specifications.exe
                Source: Order Specifications.exe, 00000001.00000002.236502532.0000000002E11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Order Specifications.exe
                Source: Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Order Specifications.exe
                Source: Order Specifications.exe, 00000001.00000002.235844031.0000000000482000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Order Specifications.exe
                Source: Order Specifications.exeBinary or memory string: OriginalFilenameyY~ vs Order Specifications.exe
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
                Source: 00000001.00000002.236772436.00000000030AA000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.295014306.0000000002E4A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.236502532.0000000002E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000D.00000002.294708011.0000000002BB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 15.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 15.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: 1.2.Order Specifications.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                Source: 1.2.Order Specifications.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                Source: Order Specifications.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: WindowsUpdate.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 1.2.Order Specifications.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Order Specifications.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Order Specifications.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 1.2.Order Specifications.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.Order Specifications.exe.400000.0.unpack, Form1.csBase64 encoded string: 'HYGinuP2W+wS+vkfHX79hl2vStbGLw3J+5Xsl+GnhDp9F4gBEJnUv5/nqV7ZWYvtqqFV2qAl3+H38NZH4iJ2Jw==', 'i4O7FYqpGut2ExYGGOwrdwkHCsxkl1hqaftLh+g8tuZF5n3euDzP0xcReF8ffTJSfqZzx99SZmhL14LSAmPnrw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'HYGinuP2W+wS+vkfHX79hl2vStbGLw3J+5Xsl+GnhDp9F4gBEJnUv5/nqV7ZWYvtqqFV2qAl3+H38NZH4iJ2Jw==', 'i4O7FYqpGut2ExYGGOwrdwkHCsxkl1hqaftLh+g8tuZF5n3euDzP0xcReF8ffTJSfqZzx99SZmhL14LSAmPnrw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: 15.2.WindowsUpdate.exe.400000.0.unpack, Form1.csBase64 encoded string: 'HYGinuP2W+wS+vkfHX79hl2vStbGLw3J+5Xsl+GnhDp9F4gBEJnUv5/nqV7ZWYvtqqFV2qAl3+H38NZH4iJ2Jw==', 'i4O7FYqpGut2ExYGGOwrdwkHCsxkl1hqaftLh+g8tuZF5n3euDzP0xcReF8ffTJSfqZzx99SZmhL14LSAmPnrw==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/20@2/2
                Source: C:\Users\user\Desktop\Order Specifications.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Specifications.exe.logJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6580
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5712
                Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCAB8.tmpJump to behavior
                Source: Order Specifications.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Order Specifications.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Order Specifications.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\Order Specifications.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Order Specifications.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Order Specifications.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Users\user\Desktop\Order Specifications.exeFile read: C:\Users\user\Desktop\Order Specifications.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Order Specifications.exe 'C:\Users\user\Desktop\Order Specifications.exe'
                Source: unknownProcess created: C:\Users\user\Desktop\Order Specifications.exe {path}
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 1996
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe {path}
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe {path}
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1996
                Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6580 -s 1296
                Source: C:\Users\user\Desktop\Order Specifications.exeProcess created: C:\Users\user\Desktop\Order Specifications.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe {path}Jump to behavior
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe {path}
                Source: C:\Users\user\Desktop\Order Specifications.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Order Specifications.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: Order Specifications.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Order Specifications.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: Order Specifications.exeStatic file information: File size 1278464 > 1048576
                Source: Order Specifications.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x137800
                Source: Order Specifications.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: System.Core.ni.pdbRSDSD source: WER6235.tmp.dmp.29.dr
                Source: Binary string: icrosoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Order Specifications.exe, 00000001.00000002.240479034.0000000007580000.00000004.00000001.sdmp
                Source: Binary string: System.Xml.ni.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: symbols\dll\mscorlib.pdb source: Order Specifications.exe, 00000001.00000002.240937600.000000000890A000.00000004.00000010.sdmp, WindowsUpdate.exe, 0000000D.00000002.300961392.00000000082DA000.00000004.00000010.sdmp
                Source: Binary string: Accessibility.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: System.ni.pdbRSDS source: WER6235.tmp.dmp.29.dr
                Source: Binary string: System.pdbl source: WER3411.tmp.dmp.19.dr
                Source: Binary string: .pdb0 source: WindowsUpdate.exe, 0000000F.00000002.319038193.00000000011C8000.00000004.00000010.sdmp
                Source: Binary string: System.Configuration.ni.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: mscorlib.ni.pdbRSDS source: WER6235.tmp.dmp.29.dr
                Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.235794602.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.293777783.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: System.Runtime.Remoting.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: jVisualBasic.pdb source: WindowsUpdate.exe, 0000000F.00000002.319038193.00000000011C8000.00000004.00000010.sdmp
                Source: Binary string: System.Configuration.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: mscorlib.pdbLN# source: WERCAB8.tmp.dmp.4.dr
                Source: Binary string: System.Xml.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: System.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: System.Core.ni.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: Microsoft.VisualBasic.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: jLC:\Windows\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 0000000F.00000002.319038193.00000000011C8000.00000004.00000010.sdmp
                Source: Binary string: System.Windows.Forms.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: System.Runtime.Remoting.pdbrdk source: WER6235.tmp.dmp.29.dr
                Source: Binary string: mscorlib.pdb source: Order Specifications.exe, 00000001.00000002.240479034.0000000007580000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.299330529.000000000702B000.00000004.00000001.sdmp, WER6235.tmp.dmp.29.dr
                Source: Binary string: Order Specifications.PDB source: Order Specifications.exe, 00000001.00000002.240937600.000000000890A000.00000004.00000010.sdmp
                Source: Binary string: Accessibility.pdb0D source: WERCAB8.tmp.dmp.4.dr
                Source: Binary string: System.Drawing.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: System.Management.pdb source: WERCAB8.tmp.dmp.4.dr
                Source: Binary string: mscorlib.ni.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.236502532.0000000002E11000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.294950264.0000000002DD1000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: j0C:\Windows\mscorlib.pdb source: Order Specifications.exe, 00000001.00000002.240937600.000000000890A000.00000004.00000010.sdmp, WindowsUpdate.exe, 0000000D.00000002.300961392.00000000082DA000.00000004.00000010.sdmp
                Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER6235.tmp.dmp.29.dr
                Source: Binary string: Accessibility.pdb< source: WER6235.tmp.dmp.29.dr
                Source: Binary string: System.Core.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Order Specifications.exe, 00000000.00000002.210078015.00000000043B9000.00000004.00000001.sdmp, Order Specifications.exe, 00000001.00000002.237131394.0000000003E19000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000009.00000002.276935261.0000000003FD9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.296473707.0000000003BB9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000E.00000002.289320297.00000000045B9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.318792489.0000000000402000.00000040.00000001.sdmp
                Source: Binary string: System.Drawing.pdb04 source: WER3411.tmp.dmp.19.dr
                Source: Binary string: System.Xml.pdbD source: WER6235.tmp.dmp.29.dr
                Source: Binary string: .pdb source: Order Specifications.exe, 00000001.00000002.240937600.000000000890A000.00000004.00000010.sdmp, WindowsUpdate.exe, 0000000D.00000002.300961392.00000000082DA000.00000004.00000010.sdmp
                Source: Binary string: System.Xml.ni.pdbRSDS source: WER6235.tmp.dmp.29.dr
                Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: Order Specifications.exe, 00000001.00000002.240937600.000000000890A000.00000004.00000010.sdmp, WindowsUpdate.exe, 0000000D.00000002.300961392.00000000082DA000.00000004.00000010.sdmp
                Source: Binary string: WindowsUpdate.PDB- source: WindowsUpdate.exe, 0000000D.00000002.300961392.00000000082DA000.00000004.00000010.sdmp
                Source: Binary string: System.ni.pdb source: WER6235.tmp.dmp.29.dr
                Source: Binary string: C:\Users\user\AppData\Roaming\WindowsUpdate.PDB source: WindowsUpdate.exe, 0000000F.00000002.319038193.00000000011C8000.00000004.00000010.sdmp

                Data Obfuscation:

                bar