Loading ...

Play interactive tourEdit tour

Analysis Report 8oaZfXDstn

Overview

General Information

Sample Name:8oaZfXDstn (renamed file extension from none to exe)
Analysis ID:317444
MD5:ae1a45894dba2a1a2c003cadd08a2821
SHA1:7ea24923c3403fb72dd186a85221a6e077165b69
SHA256:ec021f264e15c9d1c6cf8a5b12325f76d3218abc56927abd63180c3067d24938

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • 8oaZfXDstn.exe (PID: 6676 cmdline: 'C:\Users\user\Desktop\8oaZfXDstn.exe' MD5: AE1A45894DBA2A1A2C003CADD08A2821)
    • 8oaZfXDstn.exe (PID: 6692 cmdline: 'C:\Users\user\Desktop\8oaZfXDstn.exe' MD5: AE1A45894DBA2A1A2C003CADD08A2821)
      • dw20.exe (PID: 6944 cmdline: dw20.exe -x -s 2308 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 7088 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 7100 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 6636 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: AE1A45894DBA2A1A2C003CADD08A2821)
    • WindowsUpdate.exe (PID: 7132 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: AE1A45894DBA2A1A2C003CADD08A2821)
      • dw20.exe (PID: 6856 cmdline: dw20.exe -x -s 2268 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • WindowsUpdate.exe (PID: 7084 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: AE1A45894DBA2A1A2C003CADD08A2821)
    • WindowsUpdate.exe (PID: 5712 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: AE1A45894DBA2A1A2C003CADD08A2821)
      • dw20.exe (PID: 6764 cmdline: dw20.exe -x -s 1156 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6b7:$key: HawkEyeKeylogger
  • 0x7d905:$salt: 099u787978786
  • 0x7bcf8:$string1: HawkEye_Keylogger
  • 0x7cb37:$string1: HawkEye_Keylogger
  • 0x7d865:$string1: HawkEye_Keylogger
  • 0x7c0cd:$string2: holdermail.txt
  • 0x7c0ed:$string2: holdermail.txt
  • 0x7c00f:$string3: wallet.dat
  • 0x7c027:$string3: wallet.dat
  • 0x7c03d:$string3: wallet.dat
  • 0x7d429:$string4: Keylog Records
  • 0x7d741:$string4: Keylog Records
  • 0x7d95d:$string5: do not script -->
  • 0x7b69f:$string6: \pidloc.txt
  • 0x7b72d:$string7: BSPLIT
  • 0x7b73d:$string7: BSPLIT
00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd50:$hawkstr1: HawkEye Keylogger
        • 0x7cb7d:$hawkstr1: HawkEye Keylogger
        • 0x7ceac:$hawkstr1: HawkEye Keylogger
        • 0x7d007:$hawkstr1: HawkEye Keylogger
        • 0x7d16a:$hawkstr1: HawkEye Keylogger
        • 0x7d401:$hawkstr1: HawkEye Keylogger
        • 0x7b8de:$hawkstr2: Dear HawkEye Customers!
        • 0x7ceff:$hawkstr2: Dear HawkEye Customers!
        • 0x7d056:$hawkstr2: Dear HawkEye Customers!
        • 0x7d1bd:$hawkstr2: Dear HawkEye Customers!
        • 0x7b9ff:$hawkstr3: HawkEye Logger Details:
        Click to see the 138 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        17.2.WindowsUpdate.exe.24b0000.3.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8b7:$key: HawkEyeKeylogger
        • 0x7db05:$salt: 099u787978786
        • 0x7bef8:$string1: HawkEye_Keylogger
        • 0x7cd37:$string1: HawkEye_Keylogger
        • 0x7da65:$string1: HawkEye_Keylogger
        • 0x7c2cd:$string2: holdermail.txt
        • 0x7c2ed:$string2: holdermail.txt
        • 0x7c20f:$string3: wallet.dat
        • 0x7c227:$string3: wallet.dat
        • 0x7c23d:$string3: wallet.dat
        • 0x7d629:$string4: Keylog Records
        • 0x7d941:$string4: Keylog Records
        • 0x7db5d:$string5: do not script -->
        • 0x7b89f:$string6: \pidloc.txt
        • 0x7b92d:$string7: BSPLIT
        • 0x7b93d:$string7: BSPLIT
        17.2.WindowsUpdate.exe.24b0000.3.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          17.2.WindowsUpdate.exe.24b0000.3.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            17.2.WindowsUpdate.exe.24b0000.3.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              17.2.WindowsUpdate.exe.24b0000.3.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bf50:$hawkstr1: HawkEye Keylogger
              • 0x7cd7d:$hawkstr1: HawkEye Keylogger
              • 0x7d0ac:$hawkstr1: HawkEye Keylogger
              • 0x7d207:$hawkstr1: HawkEye Keylogger
              • 0x7d36a:$hawkstr1: HawkEye Keylogger
              • 0x7d601:$hawkstr1: HawkEye Keylogger
              • 0x7bade:$hawkstr2: Dear HawkEye Customers!
              • 0x7d0ff:$hawkstr2: Dear HawkEye Customers!
              • 0x7d256:$hawkstr2: Dear HawkEye Customers!
              • 0x7d3bd:$hawkstr2: Dear HawkEye Customers!
              • 0x7bbff:$hawkstr3: HawkEye Logger Details:
              Click to see the 104 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 8oaZfXDstn.exe.6692.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Source: 8oaZfXDstn.exe.6692.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 62%
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 62%
              Multi AV Scanner detection for submitted fileShow sources
              Source: 8oaZfXDstn.exeReversingLabs: Detection: 62%
              Source: 8oaZfXDstn.exeReversingLabs: Detection: 62%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: 8oaZfXDstn.exeJoe Sandbox ML: detected
              Source: 8oaZfXDstn.exeJoe Sandbox ML: detected
              Source: 2.2.8oaZfXDstn.exe.ad0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.8oaZfXDstn.exe.ad0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 15.2.WindowsUpdate.exe.2b20000.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 1.2.8oaZfXDstn.exe.2990000.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 2.2.8oaZfXDstn.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.8oaZfXDstn.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 17.2.WindowsUpdate.exe.22d0000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 17.2.WindowsUpdate.exe.24b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 17.2.WindowsUpdate.exe.24b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 20.2.WindowsUpdate.exe.9f0000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 1.2.8oaZfXDstn.exe.29e0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 1.2.8oaZfXDstn.exe.29e0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.2.8oaZfXDstn.exe.2360000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.8oaZfXDstn.exe.2360000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.2.8oaZfXDstn.exe.a40000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 19.2.WindowsUpdate.exe.2a90000.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 15.2.WindowsUpdate.exe.2b70000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 15.2.WindowsUpdate.exe.2b70000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 20.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 20.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 17.2.WindowsUpdate.exe.2360000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 17.2.WindowsUpdate.exe.2360000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 17.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 17.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 20.2.WindowsUpdate.exe.2310000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 20.2.WindowsUpdate.exe.2310000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 19.2.WindowsUpdate.exe.2af0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 19.2.WindowsUpdate.exe.2af0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 20.2.WindowsUpdate.exe.a80000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 20.2.WindowsUpdate.exe.a80000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.2.8oaZfXDstn.exe.ad0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.8oaZfXDstn.exe.ad0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 15.2.WindowsUpdate.exe.2b20000.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 1.2.8oaZfXDstn.exe.2990000.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 2.2.8oaZfXDstn.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.8oaZfXDstn.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 17.2.WindowsUpdate.exe.22d0000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 17.2.WindowsUpdate.exe.24b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 17.2.WindowsUpdate.exe.24b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 20.2.WindowsUpdate.exe.9f0000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 1.2.8oaZfXDstn.exe.29e0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 1.2.8oaZfXDstn.exe.29e0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.2.8oaZfXDstn.exe.2360000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.8oaZfXDstn.exe.2360000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.2.8oaZfXDstn.exe.a40000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 19.2.WindowsUpdate.exe.2a90000.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 15.2.WindowsUpdate.exe.2b70000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 15.2.WindowsUpdate.exe.2b70000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 20.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 20.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 17.2.WindowsUpdate.exe.2360000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 17.2.WindowsUpdate.exe.2360000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 17.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 17.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 20.2.WindowsUpdate.exe.2310000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 20.2.WindowsUpdate.exe.2310000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 19.2.WindowsUpdate.exe.2af0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 19.2.WindowsUpdate.exe.2af0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 20.2.WindowsUpdate.exe.a80000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 20.2.WindowsUpdate.exe.a80000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: 8oaZfXDstn.exeBinary or memory string: autorun.inf
              Source: 8oaZfXDstn.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: 8oaZfXDstn.exeBinary or memory string: autorun.inf
              Source: 8oaZfXDstn.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Users\user\Desktop\8oaZfXDstn.exeCode function: 1_2_00408AB4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_00408AB4
              Source: C:\Users\user\Desktop\8oaZfXDstn.exeCode function: 1_2_00408B90 FindFirstFileA,GetLastError,1_2_00408B90
              Source: C:\Users\user\Desktop\8oaZfXDstn.exeCode function: 1_2_0047D25C FindFirstFileA,GetLastError,FindClose,1_2_0047D25C
              Source: C:\Users\user\Desktop\8oaZfXDstn.exeCode function: 1_2_00405B90 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00405B90
              Source: C:\Users\user\Desktop\8oaZfXDstn.exeCode function: 1_2_00408AB4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_00408AB4
              Source: C:\Users\user\Desktop\8oaZfXDstn.exeCode function: 1_2_00408B90 FindFirstFileA,GetLastError,1_2_00408B90
              Source: C:\Users\user\Desktop\8oaZfXDstn.exeCode function: 1_2_0047D25C FindFirstFileA,GetLastError,FindClose,1_2_0047D25C
              Source: C:\Users\user\Desktop\8oaZfXDstn.exeCode function: 1_2_00405B90 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00405B90
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 15_2_00408AB4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,15_2_00408AB4
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 15_2_00408B90 FindFirstFileA,GetLastError,15_2_00408B90
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 15_2_0047D25C FindFirstFileA,GetLastError,FindClose,15_2_0047D25C
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 15_2_00405B90 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,15_2_00405B90
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]17_2_04C476A8
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C414C0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C417F8
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]17_2_04C47698
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 04C41A73h17_2_04C419A0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 04C41A73h17_2_04C419B0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C45B70
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C40728
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then mov esp, ebp17_2_04C44830
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C46038
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]17_2_04C476A8
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C414C0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C417F8
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]17_2_04C47698
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 04C41A73h17_2_04C419A0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then jmp 04C41A73h17_2_04C419B0
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C45B70
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C40728
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then mov esp, ebp17_2_04C44830
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]17_2_04C46038

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
              Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_0243A186 recv,17_2_0243A186
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_0243A186 recv,17_2_0243A186
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmp, 8oaZfXDstn.exe, 00000002.00000002.268940116.0000000000497000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmp, 8oaZfXDstn.exe, 00000002.00000002.268940116.0000000000497000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: 8oaZfXDstn.exe, WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmp, 8oaZfXDstn.exe, 00000002.00000002.268940116.0000000000497000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmp, 8oaZfXDstn.exe, 00000002.00000002.268940116.0000000000497000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: 8oaZfXDstn.exe, WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: unknownDNS traffic detected: queries for: 220.240.8.0.in-addr.arpa
              Source: unknownDNS traffic detected: queries for: 220.240.8.0.in-addr.arpa
              Source: 8oaZfXDstn.exe, 00000001.00000002.249207701.00000000029E2000.00000040.00000001.sdmp, 8oaZfXDstn.exe, 00000002.00000002.268940116.0000000000497000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.292210045.0000000002B72000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000011.00000002.306936174.0000000002362000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000013.00000002.311667011.0000000002B87000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000014.00000002.328298700.0000000000A82000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: 8oaZfXDstn.exe, 00000002.00000003.252834172.000000000509C000.00000004.00000001.sdmpString found in binary or memory: http://en.wd
              Source: 8oaZf