Loading ...

Play interactive tourEdit tour

Analysis Report ZMOKwXqVHO

Overview

General Information

Sample Name:ZMOKwXqVHO (renamed file extension from none to exe)
Analysis ID:317631
MD5:b21b4ac6445d23e8b8a1b65df573a334
SHA1:bd3f7eae07d33dea9cec38de5d79765af5ce33fb
SHA256:f48fc03a6774a235d15b347b14891185d50d45726f4cc84b838e3d16add5c0d0
Tags:HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ZMOKwXqVHO.exe (PID: 6536 cmdline: 'C:\Users\user\Desktop\ZMOKwXqVHO.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
    • ZMOKwXqVHO.exe (PID: 5664 cmdline: C:\Users\user\Desktop\ZMOKwXqVHO.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
      • vbc.exe (PID: 4416 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2248 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 3676 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
    • WindowsUpdate.exe (PID: 5320 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
  • WindowsUpdate.exe (PID: 5180 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
    • WindowsUpdate.exe (PID: 5328 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    0000000F.00000002.405380242.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x2ad60:$key: HawkEyeKeylogger
          • 0x2ad84:$key: HawkEyeKeylogger
          • 0x2ada8:$key: HawkEyeKeylogger
          • 0x2adcc:$key: HawkEyeKeylogger
          • 0x2adf0:$key: HawkEyeKeylogger
          • 0x2ae14:$key: HawkEyeKeylogger
          • 0x2ae38:$key: HawkEyeKeylogger
          • 0x2f48c:$salt: 099u787978786
          • 0x2b802:$string1: HawkEye_Keylogger
          • 0x2b872:$string1: HawkEye_Keylogger
          • 0x2c9d6:$string1: HawkEye_Keylogger
          • 0x2ca3e:$string1: HawkEye_Keylogger
          • 0x2d78c:$string1: HawkEye_Keylogger
          • 0x2d7f4:$string1: HawkEye_Keylogger
          • 0x2eebe:$string1: HawkEye_Keylogger
          • 0x2f3e2:$string1: HawkEye_Keylogger
          • 0x2bdde:$string2: holdermail.txt
          • 0x2be00:$string2: holdermail.txt
          • 0x2be20:$string2: holdermail.txt
          • 0x2be40:$string2: holdermail.txt
          • 0x2bc72:$string3: wallet.dat
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          15.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            16.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              16.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                15.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  10.2.ZMOKwXqVHO.exe.2b40000.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                    Click to see the 1 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: ZMOKwXqVHO.exeAvira: detected
                    Source: ZMOKwXqVHO.exeAvira: detected
                    Antivirus detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1121314
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1121314
                    Found malware configurationShow sources
                    Source: vbc.exe.4416.15.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
                    Source: vbc.exe.4416.15.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 45%Perma Link
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 72%
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 45%Perma Link
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 72%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: ZMOKwXqVHO.exeMetadefender: Detection: 45%Perma Link
                    Source: ZMOKwXqVHO.exeReversingLabs: Detection: 72%
                    Source: ZMOKwXqVHO.exeMetadefender: Detection: 45%Perma Link
                    Source: ZMOKwXqVHO.exeReversingLabs: Detection: 72%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: ZMOKwXqVHO.exeJoe Sandbox ML: detected
                    Source: ZMOKwXqVHO.exeJoe Sandbox ML: detected
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00406EC3
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,15_2_00406EC3
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,16_2_00408441
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,16_2_00407E0E
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then call 02C36828h10_2_02C3DB1C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C3DB1C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_02C3D500
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then mov esp, ebp10_2_02C39A20
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C3B3D5
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C319C3
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then jmp 02C3676Eh10_2_02C366A8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C3B7B8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C30773
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C364EB
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_0BD7065E
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_0BD704A0
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then call 02C36828h10_2_02C3DB1C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C3DB1C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]10_2_02C3D500
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then mov esp, ebp10_2_02C39A20
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C3B3D5
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C319C3
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then jmp 02C3676Eh10_2_02C366A8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C3B7B8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C30773
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_02C364EB
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_0BD7065E
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]10_2_0BD704A0

                    Networking:

                    barindex
                    May check the online IP address of the machineShow sources
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                    Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: unknownDNS traffic detected: queries for: 149.189.2.0.in-addr.arpa
                    Source: unknownDNS traffic detected: queries for: 149.189.2.0.in-addr.arpa
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362253216.0000000009420000.00000004.00000001.sdmpString found in binary or memory: http://en.w(
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362162715.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://s.symcd.com06
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.366741525.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/5
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.368450950.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.367861314.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlB
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.361490197.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.360927587.0000000009402000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn%e
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnMe/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnueG
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.371781685.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/I
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.372133424.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmL
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//-uk
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p#
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.374927092.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.375035852.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.1
                    Source: vbc.exe, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.359317739.00000000093FC000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-rS
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361434344.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361357543.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnGe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnlt
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/cps0%
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/rpa0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                    Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362253216.0000000009420000.00000004.00000001.sdmpString found in binary or memory: http://en.w(
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362162715.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://s.symcd.com06
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.366741525.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/5
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.368450950.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.367861314.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlB
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.361490197.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.360927587.0000000009402000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn%e
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnMe/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnueG
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.371781685.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/I
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.372133424.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmL
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//-uk
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p#
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.374927092.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.375035852.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.1
                    Source: vbc.exe, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.359317739.00000000093FC000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-rS
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361434344.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361357543.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnGe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnlt
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/cps0%
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/rpa0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                    Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ZMOKwXqVHO.exe PID: 5664, type: MEMORY
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,15_2_0040AC8A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,15_2_0040AC8A

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess Stats: CPU usage > 98%
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess Stats: CPU usage > 98%
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_0214117C NtProtectVirtualMemory,0_2_0214117C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_0214117C NtProtectVirtualMemory,0_2_0214117C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD5E3A NtWriteVirtualMemory,10_2_06DD5E3A
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD55F6 NtQuerySystemInformation,10_2_06DD55F6
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD5D92 NtResumeThread,10_2_06DD5D92
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD5E0D NtWriteVirtualMemory,10_2_06DD5E0D
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD55C4 NtQuerySystemInformation,10_2_06DD55C4
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,16_2_00408836
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_0231117C NtProtectVirtualMemory,17_2_0231117C
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_0225117C NtProtectVirtualMemory,21_2_0225117C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_004084220_2_00408422
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_021422B40_2_021422B4
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_004084220_2_00408422
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_021422B40_2_021422B4
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_004060F010_2_004060F0
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0040615910_2_00406159
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0040A57010_2_0040A570
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_004107A510_2_004107A5
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00405A8010_2_00405A80
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00402AB010_2_00402AB0
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00405D6010_2_00405D60
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00409E7010_2_00409E70
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0040AE0F10_2_0040AE0F
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0040BE3010_2_0040BE30
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C36AC810_2_02C36AC8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3DB1C10_2_02C3DB1C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3CDF810_2_02C3CDF8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3AD9810_2_02C3AD98
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C36ABB10_2_02C36ABB
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C319D910_2_02C319D9
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C319E810_2_02C319E8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3B7B810_2_02C3B7B8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3AD8910_2_02C3AD89
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3DE3810_2_02C3DE38
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3B7C810_2_02C3B7C8
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404DDB15_2_00404DDB
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040BD8A15_2_0040BD8A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404E4C15_2_00404E4C
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404EBD15_2_00404EBD
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404F4E15_2_00404F4E
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040441916_2_00404419
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040451616_2_00404516
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0041353816_2_00413538
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004145A116_2_004145A1
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040E63916_2_0040E639
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004337AF16_2_004337AF
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004399B116_2_004399B1
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0043DAE716_2_0043DAE7
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00405CF616_2_00405CF6
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00403F8516_2_00403F85
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00411F9916_2_00411F99
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_023122B417_2_023122B4
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_022522B421_2_022522B4
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 22_2_0040842222_2_00408422
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 00410D6C appears 44 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 0040443A appears 44 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 004044F1 appears 63 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 00410D6C appears 44 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 0040443A appears 44 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 004044F1 appears 63 times
                    Source: ZMOKwXqVHO.exeStatic PE information: invalid certificate
                    Source: ZMOKwXqVHO.exeStatic PE information: invalid certificate
                    Source: ZMOKwXqVHO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ZMOKwXqVHO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.303894995.00000000004BC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.304224454.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.304962839.0000000003176000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.395927643.000000000AA4D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.526199139.000000000047A000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exeBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.303894995.00000000004BC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.304224454.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.304962839.0000000003176000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.395927643.000000000AA4D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.526199139.000000000047A000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exeBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@13/5@4/4
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,16_2_00415AFD
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,16_2_00415AFD
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD404A AdjustTokenPrivileges,10_2_06DD404A
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD4013 AdjustTokenPrivileges,10_2_06DD4013
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD404A AdjustTokenPrivileges,10_2_06DD404A
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD4013 AdjustTokenPrivileges,10_2_06DD4013
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,16_2_00415F87
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,16_2_00415F87
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,10_2_00401470
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,10_2_00401470
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,10_2_00401470
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,10_2_00401470
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC68DDA435CDE0002.TMPJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC68DDA435CDE0002.TMPJump to behavior
                    Source: ZMOKwXqVHO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: ZMOKwXqVHO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: ZMOKwXqVHO.exeMetadefender: Detection: 45%
                    Source: ZMOKwXqVHO.exeReversingLabs: Detection: 72%
                    Source: ZMOKwXqVHO.exeMetadefender: Detection: 45%
                    Source: ZMOKwXqVHO.exeReversingLabs: Detection: 72%
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Users\user\Desktop\ZMOKwXqVHO.exeJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Users\user\Desktop\ZMOKwXqVHO.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe 'C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe 'C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'Jump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: Binary string: mC:\Windows\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Ru.pdb.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp
                    Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmp, vbc.exe
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe
                    Source: Binary string: System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: mscorrc.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmp
                    Source: Binary string: mC:\Windows\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Ru.pdb.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp
                    Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.0000000