Analysis Report ZMOKwXqVHO

Overview

General Information

Sample Name: ZMOKwXqVHO (renamed file extension from none to exe)
Analysis ID: 317631
MD5: b21b4ac6445d23e8b8a1b65df573a334
SHA1: bd3f7eae07d33dea9cec38de5d79765af5ce33fb
SHA256: f48fc03a6774a235d15b347b14891185d50d45726f4cc84b838e3d16add5c0d0
Tags: HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: ZMOKwXqVHO.exe Avira: detected
Source: ZMOKwXqVHO.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: HEUR/AGEN.1121314
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: HEUR/AGEN.1121314
Found malware configuration
Source: vbc.exe.4416.15.memstr Malware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
Source: vbc.exe.4416.15.memstr Malware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 45% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 45% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 72%
Multi AV Scanner detection for submitted file
Source: ZMOKwXqVHO.exe Metadefender: Detection: 45% Perma Link
Source: ZMOKwXqVHO.exe ReversingLabs: Detection: 72%
Source: ZMOKwXqVHO.exe Metadefender: Detection: 45% Perma Link
Source: ZMOKwXqVHO.exe ReversingLabs: Detection: 72%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ZMOKwXqVHO.exe Joe Sandbox ML: detected
Source: ZMOKwXqVHO.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack Avira: Label: SPR/Tool.MailPassView.473

Spreading:

barindex
May infect USB drives
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 15_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 15_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 16_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 16_2_00407E0E

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then call 02C36828h 10_2_02C3DB1C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C3DB1C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 10_2_02C3D500
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then mov esp, ebp 10_2_02C39A20
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C3B3D5
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C319C3
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then jmp 02C3676Eh 10_2_02C366A8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C3B7B8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C30773
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C364EB
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_0BD7065E
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_0BD704A0
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then call 02C36828h 10_2_02C3DB1C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C3DB1C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 10_2_02C3D500
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then mov esp, ebp 10_2_02C39A20
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C3B3D5
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C319C3
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then jmp 02C3676Eh 10_2_02C366A8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C3B7B8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C30773
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_02C364EB
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_0BD7065E
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 10_2_0BD704A0

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.154.36 104.16.154.36
Source: Joe Sandbox View IP Address: 104.16.154.36 104.16.154.36
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 149.189.2.0.in-addr.arpa
Source: unknown DNS traffic detected: queries for: 149.189.2.0.in-addr.arpa
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362253216.0000000009420000.00000004.00000001.sdmp String found in binary or memory: http://en.w(
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362162715.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://en.wikip)
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: ZMOKwXqVHO.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: ZMOKwXqVHO.exe String found in binary or memory: http://s.symcd.com06
Source: ZMOKwXqVHO.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: ZMOKwXqVHO.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: ZMOKwXqVHO.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ZMOKwXqVHO.exe, 0000000A.00000003.366741525.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/5
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ZMOKwXqVHO.exe, 0000000A.00000003.368450950.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ZMOKwXqVHO.exe, 0000000A.00000003.367861314.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlB
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com=
Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.361490197.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.360927587.0000000009402000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn%e
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnMe/
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnueG
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ZMOKwXqVHO.exe, 0000000A.00000003.371781685.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/I
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ZMOKwXqVHO.exe, 0000000A.00000003.372133424.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmL
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//-uk
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p#
Source: ZMOKwXqVHO.exe, 0000000A.00000003.374927092.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: ZMOKwXqVHO.exe, 0000000A.00000003.375035852.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.1
Source: vbc.exe, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.359317739.00000000093FC000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com-rS
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361434344.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361357543.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.como
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnGe
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cne
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnlt
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: ZMOKwXqVHO.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: ZMOKwXqVHO.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: ZMOKwXqVHO.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362253216.0000000009420000.00000004.00000001.sdmp String found in binary or memory: http://en.w(
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362162715.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://en.wikip)
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: ZMOKwXqVHO.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: ZMOKwXqVHO.exe String found in binary or memory: http://s.symcd.com06
Source: ZMOKwXqVHO.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: ZMOKwXqVHO.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: ZMOKwXqVHO.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ZMOKwXqVHO.exe, 0000000A.00000003.366741525.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/5
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ZMOKwXqVHO.exe, 0000000A.00000003.368450950.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: ZMOKwXqVHO.exe, 0000000A.00000003.367861314.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlB
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com=
Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.361490197.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.360927587.0000000009402000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn%e
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnMe/
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnueG
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ZMOKwXqVHO.exe, 0000000A.00000003.371781685.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/I
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ZMOKwXqVHO.exe, 0000000A.00000003.372133424.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmL
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/(
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//-uk
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/O
Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p#
Source: ZMOKwXqVHO.exe, 0000000A.00000003.374927092.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: ZMOKwXqVHO.exe, 0000000A.00000003.375035852.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.1
Source: vbc.exe, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.359317739.00000000093FC000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com-rS
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361434344.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361357543.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.como
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnGe
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cne
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnlt
Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: ZMOKwXqVHO.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: ZMOKwXqVHO.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: ZMOKwXqVHO.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ZMOKwXqVHO.exe PID: 5664, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 15_2_0040AC8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 15_2_0040AC8A

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_0214117C NtProtectVirtualMemory, 0_2_0214117C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_0214117C NtProtectVirtualMemory, 0_2_0214117C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD5E3A NtWriteVirtualMemory, 10_2_06DD5E3A
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD55F6 NtQuerySystemInformation, 10_2_06DD55F6
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD5D92 NtResumeThread, 10_2_06DD5D92
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD5E0D NtWriteVirtualMemory, 10_2_06DD5E0D
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD55C4 NtQuerySystemInformation, 10_2_06DD55C4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 16_2_00408836
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 17_2_0231117C NtProtectVirtualMemory, 17_2_0231117C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_0225117C NtProtectVirtualMemory, 21_2_0225117C
Detected potential crypto function
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00408422 0_2_00408422
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_021422B4 0_2_021422B4
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00408422 0_2_00408422
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_021422B4 0_2_021422B4
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_004060F0 10_2_004060F0
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00406159 10_2_00406159
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0040A570 10_2_0040A570
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_004107A5 10_2_004107A5
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00405A80 10_2_00405A80
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00402AB0 10_2_00402AB0
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00405D60 10_2_00405D60
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00409E70 10_2_00409E70
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0040AE0F 10_2_0040AE0F
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0040BE30 10_2_0040BE30
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C36AC8 10_2_02C36AC8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C3DB1C 10_2_02C3DB1C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C3CDF8 10_2_02C3CDF8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C3AD98 10_2_02C3AD98
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C36ABB 10_2_02C36ABB
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C319D9 10_2_02C319D9
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C319E8 10_2_02C319E8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C3B7B8 10_2_02C3B7B8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C3AD89 10_2_02C3AD89
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C3DE38 10_2_02C3DE38
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C3B7C8 10_2_02C3B7C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00404DDB 15_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_0040BD8A 15_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00404E4C 15_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00404EBD 15_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00404F4E 15_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00404419 16_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00404516 16_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00413538 16_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_004145A1 16_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_0040E639 16_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_004337AF 16_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_004399B1 16_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_0043DAE7 16_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00405CF6 16_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00403F85 16_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00411F99 16_2_00411F99
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 17_2_023122B4 17_2_023122B4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_022522B4 21_2_022522B4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 22_2_00408422 22_2_00408422
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: String function: 00410D6C appears 44 times
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: String function: 0040443A appears 44 times
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: String function: 004044F1 appears 63 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: String function: 00410D6C appears 44 times
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: String function: 0040443A appears 44 times
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: String function: 004044F1 appears 63 times
PE / OLE file has an invalid certificate
Source: ZMOKwXqVHO.exe Static PE information: invalid certificate
Source: ZMOKwXqVHO.exe Static PE information: invalid certificate
PE file contains strange resources
Source: ZMOKwXqVHO.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ZMOKwXqVHO.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: ZMOKwXqVHO.exe, 00000000.00000002.303894995.00000000004BC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 00000000.00000002.304224454.0000000002130000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 00000000.00000002.304962839.0000000003176000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000003.395927643.000000000AA4D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.526199139.000000000047A000.00000004.00020000.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe Binary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 00000000.00000002.303894995.00000000004BC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 00000000.00000002.304224454.0000000002130000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 00000000.00000002.304962839.0000000003176000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000003.395927643.000000000AA4D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.526199139.000000000047A000.00000004.00020000.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs ZMOKwXqVHO.exe
Source: ZMOKwXqVHO.exe Binary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
Yara signature match
Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@13/5@4/4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 16_2_00415AFD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 16_2_00415AFD
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD404A AdjustTokenPrivileges, 10_2_06DD404A
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD4013 AdjustTokenPrivileges, 10_2_06DD4013
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD404A AdjustTokenPrivileges, 10_2_06DD404A
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DD4013 AdjustTokenPrivileges, 10_2_06DD4013
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 16_2_00415F87
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 16_2_00415F87
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File created: C:\Users\user\AppData\Local\Temp\~DFC68DDA435CDE0002.TMP Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File created: C:\Users\user\AppData\Local\Temp\~DFC68DDA435CDE0002.TMP Jump to behavior
Source: ZMOKwXqVHO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ZMOKwXqVHO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: ZMOKwXqVHO.exe Metadefender: Detection: 45%
Source: ZMOKwXqVHO.exe ReversingLabs: Detection: 72%
Source: ZMOKwXqVHO.exe Metadefender: Detection: 45%
Source: ZMOKwXqVHO.exe ReversingLabs: Detection: 72%
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Users\user\Desktop\ZMOKwXqVHO.exe Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File read: C:\Users\user\Desktop\ZMOKwXqVHO.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ZMOKwXqVHO.exe 'C:\Users\user\Desktop\ZMOKwXqVHO.exe'
Source: unknown Process created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe' Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ZMOKwXqVHO.exe 'C:\Users\user\Desktop\ZMOKwXqVHO.exe'
Source: unknown Process created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe' Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: mC:\Windows\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Ru.pdb.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmp
Source: Binary string: mC:\Windows\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Ru.pdb.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe
Source: Binary string: System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Unpacked PE file: 10.2.ZMOKwXqVHO.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Unpacked PE file: 10.2.ZMOKwXqVHO.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Unpacked PE file: 10.2.ZMOKwXqVHO.exe.400000.0.unpack
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Unpacked PE file: 10.2.ZMOKwXqVHO.exe.400000.0.unpack
.NET source code contains potential unpacker
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs .Net Code: RWlSGMtJk System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs .Net Code: RWlSGMtJk System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
PE file contains an invalid checksum
Source: ZMOKwXqVHO.exe Static PE information: real checksum: 0xc4681 should be: 0xc616b
Source: WindowsUpdate.exe.10.dr Static PE information: real checksum: 0xc4681 should be: 0xc616b
Source: ZMOKwXqVHO.exe Static PE information: real checksum: 0xc4681 should be: 0xc616b
Source: WindowsUpdate.exe.10.dr Static PE information: real checksum: 0xc4681 should be: 0xc616b
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00405850 push esi; iretd 0_2_00405851
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00405808 push esi; iretd 0_2_00405809
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00403D6C push ebx; iretd 0_2_00403D71
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_004065F9 push ebx; iretd 0_2_004065FE
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00402EEA push esi; iretd 0_2_00402EED
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00405777 push esi; iretd 0_2_0040577A
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00402F7B push esi; iretd 0_2_00402F7C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00402FC3 push esi; iretd 0_2_00402FC4
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00405850 push esi; iretd 0_2_00405851
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00405808 push esi; iretd 0_2_00405809
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00403D6C push ebx; iretd 0_2_00403D71
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_004065F9 push ebx; iretd 0_2_004065FE
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00402EEA push esi; iretd 0_2_00402EED
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00405777 push esi; iretd 0_2_0040577A
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00402F7B push esi; iretd 0_2_00402F7C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_00402FC3 push esi; iretd 0_2_00402FC4
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00410DB1 push ecx; ret 10_2_00410DC4
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047B898 push cs; ret 10_2_0047B938
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047C253 push B86A34CEh; ret 10_2_0047C258
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047DA1A push dword ptr [esi]; retf 10_2_0047DA3C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047EA97 push es; iretd 10_2_0047EAA9
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047D6C6 push ecx; ret 10_2_0047D6D2
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047C6E9 push ecx; iretd 10_2_0047C7B8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047F6FC push ebx; retf 10_2_0047F70A
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047C684 push ADA19B0Eh; iretd 10_2_0047C689
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047FEA2 push esp; iretd 10_2_0047FEB3
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047D6A1 push ebp; iretd 10_2_0047D6A7
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_0047C77A push ecx; iretd 10_2_0047C7B8
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C35A27 push ds; ret 10_2_02C35A2E
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C3586F push ds; ret 10_2_02C35872
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_02C35947 push ds; ret 10_2_02C3594A
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DC0870 push es; retn 0008h 10_2_06DC097C
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DC0870 push es; retn 0024h 10_2_06DC09EC
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DC09EF push es; retn 0020h 10_2_06DC0A94
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DC09B7 push es; retn 0020h 10_2_06DC09B4
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DC09B7 push es; retn 0024h 10_2_06DC09EC
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_06DC097F push es; retn 0020h 10_2_06DC09B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00411879 push ecx; ret 15_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_004118A0 push eax; ret 15_2_004118B4
Source: initial sample Static PE information: section name: .text entropy: 7.23406008537
Source: initial sample Static PE information: section name: .text entropy: 7.23406008537
Source: initial sample Static PE information: section name: .text entropy: 7.23406008537
Source: initial sample Static PE information: section name: .text entropy: 7.23406008537
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.cs High entropy of concatenated method names: '.cctor', 'USyTN3LVEAtbl', 'Duof4wqCd4', 'mDaflC1GXr', 'eLAfDIWtjy', 'DmlfLdh5l2', 'ITafvp0oPQ', 'l6FfQloMnm', 'u2of93EAds', 'WO1fcEIt3K'
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.cs High entropy of concatenated method names: '.cctor', 'USyTN3LVEAtbl', 'Duof4wqCd4', 'mDaflC1GXr', 'eLAfDIWtjy', 'DmlfLdh5l2', 'ITafvp0oPQ', 'l6FfQloMnm', 'u2of93EAds', 'WO1fcEIt3K'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 15_2_0040F64B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 15_2_0040F64B
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 3152 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 6868 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 6940 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 3152 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 6868 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 6940 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -99000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98640s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98546s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe TID: 2224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 15_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 15_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 16_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 16_2_00407E0E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_004161B0 memset,GetSystemInfo, 16_2_004161B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 16_2_004161B0 memset,GetSystemInfo, 16_2_004161B0
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_004119BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_004119BE
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_004119BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_004119BE
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW, 10_2_00401470
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_02141216 mov eax, dword ptr fs:[00000030h] 0_2_02141216
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_02141209 mov eax, dword ptr fs:[00000030h] 0_2_02141209
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_021422B4 mov eax, dword ptr fs:[00000030h] 0_2_021422B4
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_02140FD1 mov eax, dword ptr fs:[00000030h] 0_2_02140FD1
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_0214119A mov eax, dword ptr fs:[00000030h] 0_2_0214119A
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_02141216 mov eax, dword ptr fs:[00000030h] 0_2_02141216
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_02141209 mov eax, dword ptr fs:[00000030h] 0_2_02141209
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_021422B4 mov eax, dword ptr fs:[00000030h] 0_2_021422B4
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_02140FD1 mov eax, dword ptr fs:[00000030h] 0_2_02140FD1
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 0_2_0214119A mov eax, dword ptr fs:[00000030h] 0_2_0214119A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 17_2_023122B4 mov eax, dword ptr fs:[00000030h] 17_2_023122B4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 17_2_02311216 mov eax, dword ptr fs:[00000030h] 17_2_02311216
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 17_2_0231119A mov eax, dword ptr fs:[00000030h] 17_2_0231119A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 17_2_02311209 mov eax, dword ptr fs:[00000030h] 17_2_02311209
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 17_2_02310FD1 mov eax, dword ptr fs:[00000030h] 17_2_02310FD1
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_022522B4 mov eax, dword ptr fs:[00000030h] 21_2_022522B4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_02251209 mov eax, dword ptr fs:[00000030h] 21_2_02251209
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_02251216 mov eax, dword ptr fs:[00000030h] 21_2_02251216
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_0225119A mov eax, dword ptr fs:[00000030h] 21_2_0225119A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_02250FD1 mov eax, dword ptr fs:[00000030h] 21_2_02250FD1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00405550 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc, 10_2_00405550
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00405550 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc, 10_2_00405550
Enables debug privileges
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_004154E1 SetUnhandledExceptionFilter, 10_2_004154E1
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_004119BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_004119BE
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00415C0B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00415C0B
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00418E39 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00418E39
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_004154E1 SetUnhandledExceptionFilter, 10_2_004154E1
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_004119BE _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_004119BE
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00415C0B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00415C0B
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Code function: 10_2_00418E39 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00418E39
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Reference to suspicious API methods: ('VQojqZQsg', 'GetAsyncKeyState@user32')
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.cs Reference to suspicious API methods: ('PjXfTyhGNW', 'LoadLibrary@kernel32'), ('qqGf8a5ACE', 'OpenProcess@kernel32.dll'), ('zBpfSYynXA', 'ReadProcessMemory@kernel32.dll'), ('chgfYfYnfW', 'GetProcAddress@kernel32'), ('PZffFwr7mp', 'VirtualProtect@kernel32.dll'), ('YBjfqo14Co', 'WriteProcessMemory@kernel32.dll'), ('DmlfLdh5l2', 'VirtualProtect@kernel32.dll'), ('ITafvp0oPQ', 'FindResource@kernel32.dll')
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/RunPE.cs Reference to suspicious API methods: ('Y68f56aSoO', 'VirtualProtectEx@kernel32'), ('CEWfaKg89l', 'WriteProcessMemory@kernel32'), ('AH8fBhbjSe', 'ReadProcessMemory@kernel32'), ('UavfPuB2r8', 'VirtualAllocEx@kernel32')
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs Reference to suspicious API methods: ('VQojqZQsg', 'GetAsyncKeyState@user32')
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.cs Reference to suspicious API methods: ('PjXfTyhGNW', 'LoadLibrary@kernel32'), ('qqGf8a5ACE', 'OpenProcess@kernel32.dll'), ('zBpfSYynXA', 'ReadProcessMemory@kernel32.dll'), ('chgfYfYnfW', 'GetProcAddress@kernel32'), ('PZffFwr7mp', 'VirtualProtect@kernel32.dll'), ('YBjfqo14Co', 'WriteProcessMemory@kernel32.dll'), ('DmlfLdh5l2', 'VirtualProtect@kernel32.dll'), ('ITafvp0oPQ', 'FindResource@kernel32.dll')
Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/RunPE.cs Reference to suspicious API methods: ('Y68f56aSoO', 'VirtualProtectEx@kernel32'), ('CEWfaKg89l', 'WriteProcessMemory@kernel32'), ('AH8fBhbjSe', 'ReadProcessMemory@kernel32'), ('UavfPuB2r8', 'VirtualAllocEx@kernel32')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe' Jump to behavior
Source: C:\Users\user\Desktop\ZMOKwXqVHO.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'