Analysis Report khJdbt0clZ

Overview

General Information

Sample Name: khJdbt0clZ (renamed file extension from none to exe)
Analysis ID: 317798
MD5: 2ebcbce3a454b07ae4bef1f9bdf1aeed
SHA1: 203022baa8bd7d52fd1066e9afc99b1039e6707e
SHA256: 6351df97ad5c397ca6f90b7344b534dd95ad10e3945dce4766c52615af96ba86
Tags: HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected Generic Dropper
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: khJdbt0clZ.exe Avira: detected
Source: khJdbt0clZ.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: HEUR/AGEN.1117896
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: HEUR/AGEN.1117896
Found malware configuration
Source: WindowsUpdate.exe.6924.12.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Source: WindowsUpdate.exe.6924.12.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 29% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 29% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 47%
Multi AV Scanner detection for submitted file
Source: khJdbt0clZ.exe Virustotal: Detection: 65% Perma Link
Source: khJdbt0clZ.exe Metadefender: Detection: 29% Perma Link
Source: khJdbt0clZ.exe ReversingLabs: Detection: 47%
Source: khJdbt0clZ.exe Virustotal: Detection: 65% Perma Link
Source: khJdbt0clZ.exe Metadefender: Detection: 29% Perma Link
Source: khJdbt0clZ.exe ReversingLabs: Detection: 47%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: khJdbt0clZ.exe Joe Sandbox ML: detected
Source: khJdbt0clZ.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.3.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.3.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.1.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.1.khJdbt0clZ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.1.khJdbt0clZ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.1.khJdbt0clZ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.1.khJdbt0clZ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.1.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/Inject.vcoldi
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.3.WindowsUpdate.exe.720000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.2.WindowsUpdate.exe.720000.2.unpack Avira: Label: TR/Inject.vcoldi
Source: 13.2.WindowsUpdate.exe.870000.2.unpack Avira: Label: TR/Inject.vcoldi
Source: 13.3.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.3.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.3.WindowsUpdate.exe.870000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack Avira: Label: TR/Inject.vcoldi
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.3.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.3.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 16.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.1.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 2.1.khJdbt0clZ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.1.khJdbt0clZ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.1.khJdbt0clZ.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.1.khJdbt0clZ.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.1.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/Inject.vcoldi
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 16.3.WindowsUpdate.exe.720000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 16.2.WindowsUpdate.exe.720000.2.unpack Avira: Label: TR/Inject.vcoldi
Source: 13.2.WindowsUpdate.exe.870000.2.unpack Avira: Label: TR/Inject.vcoldi
Source: 13.3.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.3.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.3.WindowsUpdate.exe.870000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack Avira: Label: TR/Inject.vcoldi

Spreading:

barindex
May infect USB drives
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: khJdbt0clZ.exe Binary or memory string: autorun.inf
Source: khJdbt0clZ.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: khJdbt0clZ.exe Binary or memory string: autorun.inf
Source: khJdbt0clZ.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe Binary or memory string: autorun.inf
Source: WindowsUpdate.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 4_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 4_2_00406EC3

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_049F0728
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 13_2_049F0728
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 16_2_049F0728

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.154.36 104.16.154.36
Source: Joe Sandbox View IP Address: 104.16.154.36 104.16.154.36
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0083A186 recv, 2_2_0083A186
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0083A186 recv, 2_2_0083A186
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: khJdbt0clZ.exe, WindowsUpdate.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: khJdbt0clZ.exe, WindowsUpdate.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: unknown DNS traffic detected: queries for: 172.224.8.0.in-addr.arpa
Source: unknown DNS traffic detected: queries for: 172.224.8.0.in-addr.arpa
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000000D.00000002.735237843.00000000027D1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.782569035.00000000028D1000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/fooT
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: khJdbt0clZ.exe, WindowsUpdate.exe String found in binary or memory: http://whatismyipaddress.com/
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: khJdbt0clZ.exe, 00000002.00000003.671438689.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://www.agfamonotype.E
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: khJdbt0clZ.exe, 00000002.00000003.666423676.0000000004E84000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comva
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: khJdbt0clZ.exe, 00000002.00000003.666071268.0000000004E84000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: khJdbt0clZ.exe, 00000002.00000003.667985771.0000000004E7F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: khJdbt0clZ.exe, 00000002.00000003.667985771.0000000004E7F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Tp
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0v
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: khJdbt0clZ.exe, 00000002.00000003.668239990.0000000004E77000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/op
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pko
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pp
Source: khJdbt0clZ.exe, 00000002.00000003.667985771.0000000004E7F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/settop
Source: khJdbt0clZ.exe, 00000002.00000003.668239990.0000000004E77000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/yp
Source: khJdbt0clZ.exe, 00000002.00000003.670871770.0000000004EA8000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.=4
Source: khJdbt0clZ.exe, 00000002.00000003.670871770.0000000004EA8000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.M7
Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: khJdbt0clZ.exe, 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: khJdbt0clZ.exe, WindowsUpdate.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: WerFault.exe, 0000000A.00000003.774210941.0000000004BB9000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemetry.microee
Source: khJdbt0clZ.exe, 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: khJdbt0clZ.exe, WindowsUpdate.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000000D.00000002.735237843.00000000027D1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.782569035.00000000028D1000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/fooT
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: khJdbt0clZ.exe, WindowsUpdate.exe String found in binary or memory: http://whatismyipaddress.com/
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: khJdbt0clZ.exe, 00000002.00000003.671438689.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://www.agfamonotype.E
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: khJdbt0clZ.exe, 00000002.00000003.666423676.0000000004E84000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comva
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: khJdbt0clZ.exe, 00000002.00000003.666071268.0000000004E84000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: khJdbt0clZ.exe, 00000002.00000003.667985771.0000000004E7F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: khJdbt0clZ.exe, 00000002.00000003.667985771.0000000004E7F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Tp
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0v
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: khJdbt0clZ.exe, 00000002.00000003.668239990.0000000004E77000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/op
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pko
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pp
Source: khJdbt0clZ.exe, 00000002.00000003.667985771.0000000004E7F000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/settop
Source: khJdbt0clZ.exe, 00000002.00000003.668239990.0000000004E77000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: khJdbt0clZ.exe, 00000002.00000003.668415072.0000000004E78000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/yp
Source: khJdbt0clZ.exe, 00000002.00000003.670871770.0000000004EA8000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.=4
Source: khJdbt0clZ.exe, 00000002.00000003.670871770.0000000004EA8000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.M7
Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: khJdbt0clZ.exe, 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: khJdbt0clZ.exe, WindowsUpdate.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: WerFault.exe, 0000000A.00000003.774210941.0000000004BB9000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemetry.microee
Source: khJdbt0clZ.exe, 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: khJdbt0clZ.exe, WindowsUpdate.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6924, type: MEMORY
Source: Yara match File source: Process Memory Space: khJdbt0clZ.exe PID: 6124, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6984, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 4972, type: MEMORY
Source: Yara match File source: Process Memory Space: khJdbt0clZ.exe PID: 6372, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 7096, type: MEMORY
Source: Yara match File source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 4_2_0040AC8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA, 4_2_0040AC8A
Creates a DirectInput object (often for capturing keystrokes)
Source: WindowsUpdate.exe, 0000000B.00000002.718582579.000000000093A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: WindowsUpdate.exe, 0000000B.00000002.718582579.000000000093A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 0_2_0040255D __vbaChkstk,__vbaHresultCheckObj,#610,__vbaVarMove,#662,__vbaI4Var,__vbaFreeVar,#517,__vbaStrMove,#695,__vbaVarMove,#581,#538,__vbaVarMove,#589,#631,__vbaStrMove,__vbaFreeVar,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,NtSetInformationProcess, 0_2_0040255D
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 0_2_0040255D __vbaChkstk,__vbaHresultCheckObj,#610,__vbaVarMove,#662,__vbaI4Var,__vbaFreeVar,#517,__vbaStrMove,#695,__vbaVarMove,#581,#538,__vbaVarMove,#589,#631,__vbaStrMove,__vbaFreeVar,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaStrCopy,NtSetInformationProcess, 0_2_0040255D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 11_2_0097061E NtProtectVirtualMemory, 11_2_0097061E
Detected potential crypto function
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040D426 2_2_0040D426
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040D523 2_2_0040D523
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0041D5AE 2_2_0041D5AE
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00417646 2_2_00417646
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040D6C4 2_2_0040D6C4
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_004429BE 2_2_004429BE
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00446AF4 2_2_00446AF4
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0046ABFC 2_2_0046ABFC
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00463C4D 2_2_00463C4D
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00463CBE 2_2_00463CBE
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040ED03 2_2_0040ED03
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00463D2F 2_2_00463D2F
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00463DC0 2_2_00463DC0
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040CF92 2_2_0040CF92
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0041AFA6 2_2_0041AFA6
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_049F7098 2_2_049F7098
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040D426 2_2_0040D426
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040D523 2_2_0040D523
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0041D5AE 2_2_0041D5AE
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00417646 2_2_00417646
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040D6C4 2_2_0040D6C4
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_004429BE 2_2_004429BE
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00446AF4 2_2_00446AF4
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0046ABFC 2_2_0046ABFC
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00463C4D 2_2_00463C4D
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00463CBE 2_2_00463CBE
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040ED03 2_2_0040ED03
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00463D2F 2_2_00463D2F
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_00463DC0 2_2_00463DC0
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0040CF92 2_2_0040CF92
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0041AFA6 2_2_0041AFA6
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_049F7098 2_2_049F7098
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_2_0043C7BC 2_2_0043C7BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00404DDB 4_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_0040BD8A 4_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00404E4C 4_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00404EBD 4_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00404F4E 4_2_00404F4E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_004E649F 13_2_004E649F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_004ED1F0 13_2_004ED1F0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_004E66CE 13_2_004E66CE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_004ED69E 13_2_004ED69E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 13_2_004F0BF8 13_2_004F0BF8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_005BD1F0 16_2_005BD1F0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_005C0BF8 16_2_005C0BF8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_005B649F 16_2_005B649F
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_005B66CE 16_2_005B66CE
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 16_2_005BD69E 16_2_005BD69E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: String function: 0044BA9D appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: String function: 0044BA9D appears 36 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 005B23F0 appears 31 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 004E23F0 appears 31 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 176
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 176
PE file contains strange resources
Source: khJdbt0clZ.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: khJdbt0clZ.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: khJdbt0clZ.exe, 00000000.00000000.655960235.0000000000405000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebesvrligheder.exe vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000000.657739141.0000000000405000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebesvrligheder.exe vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe Binary or memory string: OriginalFilename vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe Binary or memory string: OriginalFileName vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000002.928188332.0000000000849000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000000.659741682.0000000000405000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebesvrligheder.exe vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000002.966783630.0000000006D80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000002.956586699.0000000004CA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe Binary or memory string: OriginalFilenamebesvrligheder.exe vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000000.00000000.655960235.0000000000405000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebesvrligheder.exe vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000001.00000000.657739141.0000000000405000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebesvrligheder.exe vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe Binary or memory string: OriginalFilename vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe Binary or memory string: OriginalFileName vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000002.928188332.0000000000849000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000000.659741682.0000000000405000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebesvrligheder.exe vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000002.966783630.0000000006D80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe, 00000002.00000002.956586699.0000000004CA0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs khJdbt0clZ.exe
Source: khJdbt0clZ.exe Binary or memory string: OriginalFilenamebesvrligheder.exe vs khJdbt0clZ.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Yara signature match
Source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000001.755673944.0000000000442000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000003.662790681.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000003.755220257.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.765004269.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000003.760172040.0000000002490000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.951259163.00000000037CE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000001.722730820.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.735805996.00000000037D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.940290708.0000000002751000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000003.722912236.0000000000404000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000003.724021644.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.734421935.0000000000870000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.922951576.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.925419239.0000000000770000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.951758588.00000000048F8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000002.783181268.00000000038D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000010.00000003.756477994.0000000000720000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.3.WindowsUpdate.exe.870000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.3.khJdbt0clZ.exe.770000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.3.khJdbt0clZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.3.khJdbt0clZ.exe.770000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.3.WindowsUpdate.exe.720000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.3.WindowsUpdate.exe.720000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.720000.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 16.2.WindowsUpdate.exe.720000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.khJdbt0clZ.exe.770000.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.870000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.870000.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.3.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.3.WindowsUpdate.exe.870000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.khJdbt0clZ.exe.770000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.2.khJdbt0clZ.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 16.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@21/19@3/3
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_3_00401000 FindResourceA,LoadResource,LockResource,SizeofResource, 2_3_00401000
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Code function: 2_3_00401000 FindResourceA,LoadResource,LockResource,SizeofResource, 2_3_00401000
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6628
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6628
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DDA.tmp Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DDA.tmp Jump to behavior
Source: khJdbt0clZ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: khJdbt0clZ.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: khJdbt0clZ.exe Virustotal: Detection: 65%
Source: khJdbt0clZ.exe Metadefender: Detection: 29%
Source: khJdbt0clZ.exe ReversingLabs: Detection: 47%
Source: khJdbt0clZ.exe Virustotal: Detection: 65%
Source: khJdbt0clZ.exe Metadefender: Detection: 29%
Source: khJdbt0clZ.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Users\user\Desktop\khJdbt0clZ.exe Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File read: C:\Users\user\Desktop\khJdbt0clZ.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe'
Source: unknown Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe'
Source: unknown Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 176
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 508
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe' Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe' Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe'
Source: unknown Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe'
Source: unknown Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 176
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 508
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe' Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process created: C:\Users\user\Desktop\khJdbt0clZ.exe 'C:\Users\user\Desktop\khJdbt0clZ.exe' Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File written: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File written: C:\Windows\win.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: khJdbt0clZ.exe Static file information: File size 1601536 > 1048576
Source: khJdbt0clZ.exe Static file information: File size 1601536 > 1048576
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: C:\Users\user\Desktop\khJdbt0clZ.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: khJdbt0clZ.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x182000
Source: khJdbt0clZ.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x182000
Source: Binary string: C:\Windows\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000009.00000002.783700112.00000000050D0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.788090162.00000000050E0000.00000002.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.709725457.0000000002D9C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.712664147.0000000002F35000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: 1}oC:\Windows\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.970251337.000000000804B000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.716606712.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.712633860.0000000002F2F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000009.00000002.783700112.00000000050D0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.788090162.00000000050E0000.00000002.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb^6|6 source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb|`4 source: khJdbt0clZ.exe, 00000002.00000002.930091125.00000000008BD000.00000004.00000020.sdmp
Source: Binary string: wgdi32.pdbk source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.716606712.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.713758458.0000000002F3B000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: indows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000001.754855687.0000000000404000.00000040.00020000.sdmp
Source: Binary string: DDsymbols\dll\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.970251337.000000000804B000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000009.00000003.709693611.0000000002D95000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: khJdbt0clZ.exe, 00000002.00000002.928188332.0000000000849000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.712633860.0000000002F2F000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb! source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: khJdbt0clZ.exe, 00000002.00000002.970251337.000000000804B000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0| source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: khJdbt0clZ.exe, 00000002.00000002.930091125.00000000008BD000.00000004.00000020.sdmp
Source: Binary string: Kernel.Appcore.pdb]>t5 source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: khJdbt0clZ.exe, 00000002.00000002.928188332.0000000000849000.00000004.00000020.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: khJdbt0clZ.exe, 00000002.00000002.956586699.0000000004CA0000.00000002.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\System.Runtime.Remoting.pdbxx? source: khJdbt0clZ.exe, 00000002.00000002.930091125.00000000008BD000.00000004.00000020.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000A.00000003.713758458.0000000002F3B000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000A.00000003.712664147.0000000002F35000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: indows\System.Runtime.Remoting.pdbpdbing.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.716606712.0000000004FE1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000009.00000002.783700112.00000000050D0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.788090162.00000000050E0000.00000002.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.709725457.0000000002D9C000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.712664147.0000000002F35000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: 1}oC:\Windows\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.970251337.000000000804B000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.716606712.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.712633860.0000000002F2F000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000009.00000002.783700112.00000000050D0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.788090162.00000000050E0000.00000002.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb^6|6 source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb|`4 source: khJdbt0clZ.exe, 00000002.00000002.930091125.00000000008BD000.00000004.00000020.sdmp
Source: Binary string: wgdi32.pdbk source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.716606712.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 0000000A.00000003.713758458.0000000002F3B000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: indows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000001.754855687.0000000000404000.00000040.00020000.sdmp
Source: Binary string: DDsymbols\dll\System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.970251337.000000000804B000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000009.00000003.709693611.0000000002D95000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: khJdbt0clZ.exe, 00000002.00000002.928188332.0000000000849000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000A.00000003.712633860.0000000002F2F000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb! source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: comdlg32.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GA.pdbL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.d source: khJdbt0clZ.exe, 00000002.00000002.970251337.000000000804B000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.725463541.0000000004FF1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0| source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000A.00000003.725499206.0000000004FC0000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: khJdbt0clZ.exe, 00000002.00000002.930091125.00000000008BD000.00000004.00000020.sdmp
Source: Binary string: Kernel.Appcore.pdb]>t5 source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: khJdbt0clZ.exe, 00000002.00000002.934694056.0000000002407000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: WindowsUpdate.exe, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: khJdbt0clZ.exe, 00000002.00000002.928188332.0000000000849000.00000004.00000020.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.725543362.0000000004FC7000.00000004.00000040.sdmp