Loading ...

Play interactive tourEdit tour

Analysis Report 9vdouqRTh3

Overview

General Information

Sample Name:9vdouqRTh3 (renamed file extension from none to exe)
Analysis ID:317374
MD5:b6b3d6cdf1a21f110cad0f4102fa7385
SHA1:dd087f9b2c4030ab6d441625f42d7bf472904a25
SHA256:4aa2ba898c0c924d352ab195b280922a85b97970a6fa03183b6a717c547c9173
Tags:HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • 9vdouqRTh3.exe (PID: 6740 cmdline: 'C:\Users\user\Desktop\9vdouqRTh3.exe' MD5: B6B3D6CDF1A21F110CAD0F4102FA7385)
    • 9vdouqRTh3.exe (PID: 6760 cmdline: 'C:\Users\user\Desktop\9vdouqRTh3.exe' MD5: B6B3D6CDF1A21F110CAD0F4102FA7385)
      • dw20.exe (PID: 6908 cmdline: dw20.exe -x -s 2104 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 7012 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7024 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 5832 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B6B3D6CDF1A21F110CAD0F4102FA7385)
    • WindowsUpdate.exe (PID: 5768 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B6B3D6CDF1A21F110CAD0F4102FA7385)
      • dw20.exe (PID: 6224 cmdline: dw20.exe -x -s 2276 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • WindowsUpdate.exe (PID: 6940 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B6B3D6CDF1A21F110CAD0F4102FA7385)
    • WindowsUpdate.exe (PID: 7004 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B6B3D6CDF1A21F110CAD0F4102FA7385)
      • dw20.exe (PID: 4388 cmdline: dw20.exe -x -s 2284 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
    • backgroundTaskHost.exe (PID: 7004 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b99f:$key: HawkEyeKeylogger
  • 0x7dbed:$salt: 099u787978786
  • 0x7bfe0:$string1: HawkEye_Keylogger
  • 0x7ce1f:$string1: HawkEye_Keylogger
  • 0x7db4d:$string1: HawkEye_Keylogger
  • 0x7c3b5:$string2: holdermail.txt
  • 0x7c3d5:$string2: holdermail.txt
  • 0x7c2f7:$string3: wallet.dat
  • 0x7c30f:$string3: wallet.dat
  • 0x7c325:$string3: wallet.dat
  • 0x7d711:$string4: Keylog Records
  • 0x7da29:$string4: Keylog Records
  • 0x7dc45:$string5: do not script -->
  • 0x7b987:$string6: \pidloc.txt
  • 0x7ba15:$string7: BSPLIT
  • 0x7ba25:$string7: BSPLIT
00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7c038:$hawkstr1: HawkEye Keylogger
        • 0x7ce65:$hawkstr1: HawkEye Keylogger
        • 0x7d194:$hawkstr1: HawkEye Keylogger
        • 0x7d2ef:$hawkstr1: HawkEye Keylogger
        • 0x7d452:$hawkstr1: HawkEye Keylogger
        • 0x7d6e9:$hawkstr1: HawkEye Keylogger
        • 0x7bbc6:$hawkstr2: Dear HawkEye Customers!
        • 0x7d1e7:$hawkstr2: Dear HawkEye Customers!
        • 0x7d33e:$hawkstr2: Dear HawkEye Customers!
        • 0x7d4a5:$hawkstr2: Dear HawkEye Customers!
        • 0x7bce7:$hawkstr3: HawkEye Logger Details:
        Click to see the 148 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        18.1.WindowsUpdate.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x11299f:$key: HawkEyeKeylogger
        • 0x114bed:$salt: 099u787978786
        • 0x112fe0:$string1: HawkEye_Keylogger
        • 0x113e1f:$string1: HawkEye_Keylogger
        • 0x114b4d:$string1: HawkEye_Keylogger
        • 0x1133b5:$string2: holdermail.txt
        • 0x1133d5:$string2: holdermail.txt
        • 0x1132f7:$string3: wallet.dat
        • 0x11330f:$string3: wallet.dat
        • 0x113325:$string3: wallet.dat
        • 0x114711:$string4: Keylog Records
        • 0x114a29:$string4: Keylog Records
        • 0x114c45:$string5: do not script -->
        • 0x112987:$string6: \pidloc.txt
        • 0x112a15:$string7: BSPLIT
        • 0x112a25:$string7: BSPLIT
        18.1.WindowsUpdate.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          18.1.WindowsUpdate.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            18.1.WindowsUpdate.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
            • 0x113038:$hawkstr1: HawkEye Keylogger
            • 0x113e65:$hawkstr1: HawkEye Keylogger
            • 0x114194:$hawkstr1: HawkEye Keylogger
            • 0x1142ef:$hawkstr1: HawkEye Keylogger
            • 0x114452:$hawkstr1: HawkEye Keylogger
            • 0x1146e9:$hawkstr1: HawkEye Keylogger
            • 0x112bc6:$hawkstr2: Dear HawkEye Customers!
            • 0x1141e7:$hawkstr2: Dear HawkEye Customers!
            • 0x11433e:$hawkstr2: Dear HawkEye Customers!
            • 0x1144a5:$hawkstr2: Dear HawkEye Customers!
            • 0x112ce7:$hawkstr3: HawkEye Logger Details:
            1.1.9vdouqRTh3.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
            • 0x11299f:$key: HawkEyeKeylogger
            • 0x114bed:$salt: 099u787978786
            • 0x112fe0:$string1: HawkEye_Keylogger
            • 0x113e1f:$string1: HawkEye_Keylogger
            • 0x114b4d:$string1: HawkEye_Keylogger
            • 0x1133b5:$string2: holdermail.txt
            • 0x1133d5:$string2: holdermail.txt
            • 0x1132f7:$string3: wallet.dat
            • 0x11330f:$string3: wallet.dat
            • 0x113325:$string3: wallet.dat
            • 0x114711:$string4: Keylog Records
            • 0x114a29:$string4: Keylog Records
            • 0x114c45:$string5: do not script -->
            • 0x112987:$string6: \pidloc.txt
            • 0x112a15:$string7: BSPLIT
            • 0x112a25:$string7: BSPLIT
            Click to see the 109 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: WindowsUpdate.exe.5832.8.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
            Source: WindowsUpdate.exe.5832.8.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 37%Perma Link
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 82%
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 37%Perma Link
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 82%
            Multi AV Scanner detection for submitted fileShow sources
            Source: 9vdouqRTh3.exeVirustotal: Detection: 54%Perma Link
            Source: 9vdouqRTh3.exeMetadefender: Detection: 37%Perma Link
            Source: 9vdouqRTh3.exeReversingLabs: Detection: 82%
            Source: 9vdouqRTh3.exeVirustotal: Detection: 54%Perma Link
            Source: 9vdouqRTh3.exeMetadefender: Detection: 37%Perma Link
            Source: 9vdouqRTh3.exeReversingLabs: Detection: 82%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: 9vdouqRTh3.exeJoe Sandbox ML: detected
            Source: 9vdouqRTh3.exeJoe Sandbox ML: detected
            Source: 0.2.9vdouqRTh3.exe.2ae0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 18.2.WindowsUpdate.exe.990000.1.unpackAvira: Label: TR/Inject.vcoldi
            Source: 17.2.WindowsUpdate.exe.2b40000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 17.2.WindowsUpdate.exe.2b40000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.9vdouqRTh3.exe.21f0000.1.unpackAvira: Label: TR/Inject.vcoldi
            Source: 18.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 18.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9.2.WindowsUpdate.exe.2310000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 9.2.WindowsUpdate.exe.2310000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 0.2.9vdouqRTh3.exe.2b30000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 0.2.9vdouqRTh3.exe.2b30000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 9.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.1.9vdouqRTh3.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 1.1.9vdouqRTh3.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 17.2.WindowsUpdate.exe.2af0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 8.2.WindowsUpdate.exe.2b20000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 8.2.WindowsUpdate.exe.2b20000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9.2.WindowsUpdate.exe.21f0000.1.unpackAvira: Label: TR/Inject.vcoldi
            Source: 1.2.9vdouqRTh3.exe.22f0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 1.2.9vdouqRTh3.exe.22f0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.9vdouqRTh3.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 1.2.9vdouqRTh3.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 18.2.WindowsUpdate.exe.2210000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 18.2.WindowsUpdate.exe.2210000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 18.2.WindowsUpdate.exe.2330000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 18.2.WindowsUpdate.exe.2330000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 8.2.WindowsUpdate.exe.2ad0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.9vdouqRTh3.exe.2380000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 1.2.9vdouqRTh3.exe.2380000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9.2.WindowsUpdate.exe.2280000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 9.2.WindowsUpdate.exe.2280000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 0.2.9vdouqRTh3.exe.2ae0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 18.2.WindowsUpdate.exe.990000.1.unpackAvira: Label: TR/Inject.vcoldi
            Source: 17.2.WindowsUpdate.exe.2b40000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 17.2.WindowsUpdate.exe.2b40000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.9vdouqRTh3.exe.21f0000.1.unpackAvira: Label: TR/Inject.vcoldi
            Source: 18.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 18.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9.2.WindowsUpdate.exe.2310000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 9.2.WindowsUpdate.exe.2310000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 0.2.9vdouqRTh3.exe.2b30000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 0.2.9vdouqRTh3.exe.2b30000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 9.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.1.9vdouqRTh3.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 1.1.9vdouqRTh3.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 17.2.WindowsUpdate.exe.2af0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 8.2.WindowsUpdate.exe.2b20000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 8.2.WindowsUpdate.exe.2b20000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9.2.WindowsUpdate.exe.21f0000.1.unpackAvira: Label: TR/Inject.vcoldi
            Source: 1.2.9vdouqRTh3.exe.22f0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 1.2.9vdouqRTh3.exe.22f0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 1.2.9vdouqRTh3.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 1.2.9vdouqRTh3.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 18.2.WindowsUpdate.exe.2210000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 18.2.WindowsUpdate.exe.2210000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 18.2.WindowsUpdate.exe.2330000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 18.2.WindowsUpdate.exe.2330000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 8.2.WindowsUpdate.exe.2ad0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.9vdouqRTh3.exe.2380000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 1.2.9vdouqRTh3.exe.2380000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9.2.WindowsUpdate.exe.2280000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
            Source: 9.2.WindowsUpdate.exe.2280000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
            Source: 9vdouqRTh3.exe, 00000000.00000002.232390925.0000000002BC7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: 9vdouqRTh3.exe, 00000000.00000002.232390925.0000000002BC7000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: 9vdouqRTh3.exeBinary or memory string: autorun.inf
            Source: 9vdouqRTh3.exeBinary or memory string: [autorun]
            Source: WindowsUpdate.exe, 00000008.00000002.277679971.0000000002B22000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: WindowsUpdate.exe, 00000008.00000002.277679971.0000000002B22000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: WindowsUpdate.exeBinary or memory string: [autorun]
            Source: WindowsUpdate.exeBinary or memory string: autorun.inf
            Source: WindowsUpdate.exe, 00000011.00000002.297124067.0000000002BD7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: WindowsUpdate.exe, 00000011.00000002.297124067.0000000002BD7000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: WindowsUpdate.exe, 00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: WindowsUpdate.exe, 00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: 9vdouqRTh3.exe, 00000000.00000002.232390925.0000000002BC7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: 9vdouqRTh3.exe, 00000000.00000002.232390925.0000000002BC7000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: 9vdouqRTh3.exeBinary or memory string: autorun.inf
            Source: 9vdouqRTh3.exeBinary or memory string: [autorun]
            Source: WindowsUpdate.exe, 00000008.00000002.277679971.0000000002B22000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: WindowsUpdate.exe, 00000008.00000002.277679971.0000000002B22000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: WindowsUpdate.exeBinary or memory string: [autorun]
            Source: WindowsUpdate.exeBinary or memory string: autorun.inf
            Source: WindowsUpdate.exe, 00000011.00000002.297124067.0000000002BD7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: WindowsUpdate.exe, 00000011.00000002.297124067.0000000002BD7000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: WindowsUpdate.exe, 00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: WindowsUpdate.exe, 00000012.00000002.310941683.0000000000497000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: C:\Users\user\Desktop\9vdouqRTh3.exeCode function: 0_2_0047A5CC FindFirstFileA,GetLastError,FindClose,0_2_0047A5CC
            Source: C:\Users\user\Desktop\9vdouqRTh3.exeCode function: 0_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408AA8
            Source: C:\Users\user\Desktop\9vdouqRTh3.exeCode function: 0_2_00408B84 FindFirstFileA,GetLastError,0_2_00408B84
            Source: C:\Users\user\Desktop\9vdouqRTh3.exeCode function: 0_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B94
            Source: C:\Users\user\Desktop\9vdouqRTh3.exeCode function: 0_2_0047A5CC FindFirstFileA,GetLastError,FindClose,0_2_0047A5CC
            Source: C:\Users\user\Desktop\9vdouqRTh3.exeCode function: 0_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408AA8
            Source: C:\Users\user\Desktop\9vdouqRTh3.exeCode function: 0_2_00408B84 FindFirstFileA,GetLastError,0_2_00408B84
            Source: C:\Users\user\Desktop\9vdouqRTh3.exeCode function: 0_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B94
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_0047A5CC FindFirstFileA,GetLastError,FindClose,8_2_0047A5CC
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,8_2_00408AA8
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00408B84 FindFirstFileA,GetLastError,8_2_00408B84
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_00405B94
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_025576A8
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_02555B70
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then mov esp, ebp9_2_02554831
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_02556038
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_02550728
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_025514C0
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_025517F8
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_02557698
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 02551A73h9_2_025519B0
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 02551A73h9_2_025519A0
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_025576A8
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_02555B70
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then mov esp, ebp9_2_02554831
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_02556038
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_02550728
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_025514C0
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]9_2_025517F8
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]9_2_02557698
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 02551A73h9_2_025519B0
            Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 02551A73h9_2_025519A0

            Networking: