Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ZMOKwXqVHO

Overview

General Information

Sample Name:ZMOKwXqVHO (renamed file extension from none to exe)
Analysis ID:317631
MD5:b21b4ac6445d23e8b8a1b65df573a334
SHA1:bd3f7eae07d33dea9cec38de5d79765af5ce33fb
SHA256:f48fc03a6774a235d15b347b14891185d50d45726f4cc84b838e3d16add5c0d0
Tags:HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Generic Dropper
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ZMOKwXqVHO.exe (PID: 6536 cmdline: 'C:\Users\user\Desktop\ZMOKwXqVHO.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
    • ZMOKwXqVHO.exe (PID: 5664 cmdline: C:\Users\user\Desktop\ZMOKwXqVHO.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
      • vbc.exe (PID: 4416 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 2248 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
  • WindowsUpdate.exe (PID: 3676 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
    • WindowsUpdate.exe (PID: 5320 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
  • WindowsUpdate.exe (PID: 5180 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
    • WindowsUpdate.exe (PID: 5328 cmdline: C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: B21B4AC6445D23E8B8A1B65DF573A334)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["Mail PassView", "mailpv"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
    0000000F.00000002.405380242.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x2ad60:$key: HawkEyeKeylogger
          • 0x2ad84:$key: HawkEyeKeylogger
          • 0x2ada8:$key: HawkEyeKeylogger
          • 0x2adcc:$key: HawkEyeKeylogger
          • 0x2adf0:$key: HawkEyeKeylogger
          • 0x2ae14:$key: HawkEyeKeylogger
          • 0x2ae38:$key: HawkEyeKeylogger
          • 0x2f48c:$salt: 099u787978786
          • 0x2b802:$string1: HawkEye_Keylogger
          • 0x2b872:$string1: HawkEye_Keylogger
          • 0x2c9d6:$string1: HawkEye_Keylogger
          • 0x2ca3e:$string1: HawkEye_Keylogger
          • 0x2d78c:$string1: HawkEye_Keylogger
          • 0x2d7f4:$string1: HawkEye_Keylogger
          • 0x2eebe:$string1: HawkEye_Keylogger
          • 0x2f3e2:$string1: HawkEye_Keylogger
          • 0x2bdde:$string2: holdermail.txt
          • 0x2be00:$string2: holdermail.txt
          • 0x2be20:$string2: holdermail.txt
          • 0x2be40:$string2: holdermail.txt
          • 0x2bc72:$string3: wallet.dat
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          15.2.vbc.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            16.2.vbc.exe.400000.0.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              16.2.vbc.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                15.2.vbc.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  10.2.ZMOKwXqVHO.exe.2b40000.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                    Click to see the 1 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: ZMOKwXqVHO.exeAvira: detected
                    Source: ZMOKwXqVHO.exeAvira: detected
                    Antivirus detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1121314
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1121314
                    Found malware configurationShow sources
                    Source: vbc.exe.4416.15.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
                    Source: vbc.exe.4416.15.memstrMalware Configuration Extractor: HawkEye {"Modules": ["Mail PassView", "mailpv"], "Version": ""}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 45%Perma Link
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 72%
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 45%Perma Link
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 72%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: ZMOKwXqVHO.exeMetadefender: Detection: 45%Perma Link
                    Source: ZMOKwXqVHO.exeReversingLabs: Detection: 72%
                    Source: ZMOKwXqVHO.exeMetadefender: Detection: 45%Perma Link
                    Source: ZMOKwXqVHO.exeReversingLabs: Detection: 72%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                    Machine Learning detection for sampleShow sources
                    Source: ZMOKwXqVHO.exeJoe Sandbox ML: detected
                    Source: ZMOKwXqVHO.exeJoe Sandbox ML: detected
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: [autorun]
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then call 02C36828h
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then mov esp, ebp
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then jmp 02C3676Eh
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then call 02C36828h
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then mov esp, ebp
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then jmp 02C3676Eh
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]

                    Networking:

                    barindex
                    May check the online IP address of the machineShow sources
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: unknownDNS query: name: whatismyipaddress.com
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                    Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
                    Source: global trafficTCP traffic: 192.168.2.5:49737 -> 31.209.137.12:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: unknownDNS traffic detected: queries for: 149.189.2.0.in-addr.arpa
                    Source: unknownDNS traffic detected: queries for: 149.189.2.0.in-addr.arpa
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362253216.0000000009420000.00000004.00000001.sdmpString found in binary or memory: http://en.w(
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362162715.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://s.symcd.com06
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.366741525.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/5
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.368450950.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.367861314.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlB
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.361490197.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.360927587.0000000009402000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn%e
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnMe/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnueG
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.371781685.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/I
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.372133424.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmL
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//-uk
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p#
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.374927092.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.375035852.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.1
                    Source: vbc.exe, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.359317739.00000000093FC000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-rS
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361434344.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361357543.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnGe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnlt
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/cps0%
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/rpa0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                    Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362253216.0000000009420000.00000004.00000001.sdmpString found in binary or memory: http://en.w(
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362162715.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip)
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535821550.00000000073FE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://s.symcd.com06
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.366741525.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/5
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.368450950.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.367861314.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlB
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.538695380.00000000093F0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.361490197.000000000941E000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.360927587.0000000009402000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn%e
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnMe/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361070243.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnueG
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.371781685.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/I
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.372133424.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmL
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//-uk
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.362840827.00000000093F8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/O
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/p
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363163049.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363412241.00000000093FA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p#
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.374927092.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.375035852.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.1
                    Source: vbc.exe, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmp, ZMOKwXqVHO.exe, 0000000A.00000003.359317739.00000000093FC000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.363669672.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-rS
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361434344.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361357543.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.544580831.000000000A602000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnGe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361696938.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnlt
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.361785361.000000000941E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/cps0%
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/rpa0
                    Source: ZMOKwXqVHO.exeString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: vbc.exe, 00000010.00000003.408073220.000000000215C000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                    Source: vbc.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpString found in binary or memory: https://whatismyipaddress.com
                    Source: vbc.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                    Key, Mouse, Clipboard, Microphone and Screen Capturing:

                    barindex
                    Yara detected HawkEye KeyloggerShow sources
                    Source: Yara matchFile source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ZMOKwXqVHO.exe PID: 5664, type: MEMORY
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess Stats: CPU usage > 98%
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess Stats: CPU usage > 98%
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_0214117C NtProtectVirtualMemory,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_0214117C NtProtectVirtualMemory,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD5E3A NtWriteVirtualMemory,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD55F6 NtQuerySystemInformation,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD5D92 NtResumeThread,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD5E0D NtWriteVirtualMemory,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD55C4 NtQuerySystemInformation,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_0231117C NtProtectVirtualMemory,
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_0225117C NtProtectVirtualMemory,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00408422
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_021422B4
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00408422
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_021422B4
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_004060F0
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00406159
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0040A570
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_004107A5
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00405A80
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00402AB0
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00405D60
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00409E70
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0040AE0F
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0040BE30
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C36AC8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3DB1C
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3CDF8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3AD98
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C36ABB
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C319D9
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C319E8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3B7B8
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3AD89
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3DE38
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3B7C8
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404DDB
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_0040BD8A
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404E4C
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404EBD
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00404F4E
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404419
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00404516
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00413538
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004145A1
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0040E639
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004337AF
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_004399B1
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_0043DAE7
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00405CF6
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00403F85
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00411F99
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 17_2_023122B4
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 21_2_022522B4
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 22_2_00408422
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 00410D6C appears 44 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 0040443A appears 44 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 004044F1 appears 63 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413F8E appears 66 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00413E2D appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00442A90 appears 36 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 004141D6 appears 88 times
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: String function: 00411538 appears 35 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 00410D6C appears 44 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 0040443A appears 44 times
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: String function: 004044F1 appears 63 times
                    Source: ZMOKwXqVHO.exeStatic PE information: invalid certificate
                    Source: ZMOKwXqVHO.exeStatic PE information: invalid certificate
                    Source: ZMOKwXqVHO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ZMOKwXqVHO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WindowsUpdate.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.303894995.00000000004BC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.304224454.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.304962839.0000000003176000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.395927643.000000000AA4D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.526199139.000000000047A000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exeBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.303894995.00000000004BC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.304224454.0000000002130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 00000000.00000002.304962839.0000000003176000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000003.395927643.000000000AA4D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.526199139.000000000047A000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.545079962.000000000B0E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs ZMOKwXqVHO.exe
                    Source: ZMOKwXqVHO.exeBinary or memory string: OriginalFilenameGaspingly.exe vs ZMOKwXqVHO.exe
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                    Source: 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csCryptographic APIs: 'CreateDecryptor'
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csCryptographic APIs: 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@13/5@4/4
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD404A AdjustTokenPrivileges,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD4013 AdjustTokenPrivileges,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD404A AdjustTokenPrivileges,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DD4013 AdjustTokenPrivileges,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 16_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile created: C:\Users\user\AppData\Roaming\pid.txtJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC68DDA435CDE0002.TMPJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC68DDA435CDE0002.TMPJump to behavior
                    Source: ZMOKwXqVHO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: ZMOKwXqVHO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeSystem information queried: HandleInformation
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe, 00000010.00000002.409018158.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: ZMOKwXqVHO.exeMetadefender: Detection: 45%
                    Source: ZMOKwXqVHO.exeReversingLabs: Detection: 72%
                    Source: ZMOKwXqVHO.exeMetadefender: Detection: 45%
                    Source: ZMOKwXqVHO.exeReversingLabs: Detection: 72%
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Users\user\Desktop\ZMOKwXqVHO.exeJump to behavior
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile read: C:\Users\user\Desktop\ZMOKwXqVHO.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe 'C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe 'C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: unknownProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Users\user\Desktop\ZMOKwXqVHO.exe C:\Users\user\Desktop\ZMOKwXqVHO.exe'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeProcess created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: Binary string: mC:\Windows\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Ru.pdb.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp
                    Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmp, vbc.exe
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe
                    Source: Binary string: System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: mscorrc.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmp
                    Source: Binary string: mC:\Windows\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Ru.pdb.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534321765.0000000007001000.00000004.00000001.sdmp
                    Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.535991295.0000000008001000.00000004.00000001.sdmp, vbc.exe
                    Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.536306548.00000000081EC000.00000004.00000001.sdmp, vbc.exe
                    Source: Binary string: System.Runtime.Remoting.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.545940154.000000000C11B000.00000004.00000001.sdmp
                    Source: Binary string: mscorrc.pdb source: ZMOKwXqVHO.exe, 0000000A.00000002.534124315.0000000006F70000.00000002.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeUnpacked PE file: 10.2.ZMOKwXqVHO.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeUnpacked PE file: 10.2.ZMOKwXqVHO.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)Show sources
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeUnpacked PE file: 10.2.ZMOKwXqVHO.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeUnpacked PE file: 10.2.ZMOKwXqVHO.exe.400000.0.unpack
                    .NET source code contains potential unpackerShow sources
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs.Net Code: RWlSGMtJk System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs.Net Code: RWlSGMtJk System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, Phulli/Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00401470 _getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,CloseHandle,Module32Next,CloseHandle,CloseHandle,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,_memset,LoadLibraryA,GetProcAddress,CLRCreateInstance,GetProcAddress,GetModuleFileNameA,GetModuleFileNameW,
                    Source: ZMOKwXqVHO.exeStatic PE information: real checksum: 0xc4681 should be: 0xc616b
                    Source: WindowsUpdate.exe.10.drStatic PE information: real checksum: 0xc4681 should be: 0xc616b
                    Source: ZMOKwXqVHO.exeStatic PE information: real checksum: 0xc4681 should be: 0xc616b
                    Source: WindowsUpdate.exe.10.drStatic PE information: real checksum: 0xc4681 should be: 0xc616b
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00405850 push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00405808 push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00403D6C push ebx; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_004065F9 push ebx; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00402EEA push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00405777 push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00402F7B push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00402FC3 push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00405850 push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00405808 push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00403D6C push ebx; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_004065F9 push ebx; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00402EEA push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00405777 push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00402F7B push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 0_2_00402FC3 push esi; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_00410DB1 push ecx; ret
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047B898 push cs; ret
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047C253 push B86A34CEh; ret
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047DA1A push dword ptr [esi]; retf
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047EA97 push es; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047D6C6 push ecx; ret
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047C6E9 push ecx; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047F6FC push ebx; retf
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047C684 push ADA19B0Eh; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047FEA2 push esp; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047D6A1 push ebp; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_0047C77A push ecx; iretd
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C35A27 push ds; ret
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C3586F push ds; ret
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_02C35947 push ds; ret
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DC0870 push es; retn 0008h
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DC0870 push es; retn 0024h
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DC09EF push es; retn 0020h
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DC09B7 push es; retn 0020h
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DC09B7 push es; retn 0024h
                    Source: C:\Users\user\Desktop\ZMOKwXqVHO.exeCode function: 10_2_06DC097F push es; retn 0020h
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_00411879 push ecx; ret
                    Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 15_2_004118A0 push eax; ret
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.23406008537
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.23406008537
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.23406008537
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.23406008537
                    Source: 10.2.ZMOKwXqVHO.exe.2b40000.1.unpack, jU7QUMMwSjZFYEKktS/hTHD63P5b9dUSIuZbT.csHigh entropy of concatenated method names: '.cctor', 'USyTN3LVEAtbl', 'Duof4wqCd4', 'mDaflC1GXr', 'eLAfDIWtjy', 'DmlfLdh5l2', 'ITafvp0oPQ', 'l6FfQloMnm', 'u2of93EAds', 'WO1f