Loading ...

Play interactive tourEdit tour

Analysis Report khJdbt0clZ

Overview

General Information

Sample Name:khJdbt0clZ (renamed file extension from none to exe)
Analysis ID:317798
MD5:2ebcbce3a454b07ae4bef1f9bdf1aeed
SHA1:203022baa8bd7d52fd1066e9afc99b1039e6707e
SHA256:6351df97ad5c397ca6f90b7344b534dd95ad10e3945dce4766c52615af96ba86
Tags:HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected Generic Dropper
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • khJdbt0clZ.exe (PID: 5500 cmdline: 'C:\Users\user\Desktop\khJdbt0clZ.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
    • khJdbt0clZ.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\khJdbt0clZ.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
      • khJdbt0clZ.exe (PID: 6124 cmdline: 'C:\Users\user\Desktop\khJdbt0clZ.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
        • vbc.exe (PID: 6628 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 6504 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6628 -s 508 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
        • vbc.exe (PID: 6532 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
          • WerFault.exe (PID: 6568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 6948 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
    • WindowsUpdate.exe (PID: 6924 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
      • WindowsUpdate.exe (PID: 6984 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
  • WindowsUpdate.exe (PID: 7004 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
    • WindowsUpdate.exe (PID: 7096 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
      • WindowsUpdate.exe (PID: 4972 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: 2EBCBCE3A454B07AE4BEF1F9BDF1AEED)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7b6e4:$key: HawkEyeKeylogger
  • 0x7d906:$salt: 099u787978786
  • 0x7bcf1:$string1: HawkEye_Keylogger
  • 0x7cb30:$string1: HawkEye_Keylogger
  • 0x7d866:$string1: HawkEye_Keylogger
  • 0x7c0c6:$string2: holdermail.txt
  • 0x7c0e6:$string2: holdermail.txt
  • 0x7c008:$string3: wallet.dat
  • 0x7c020:$string3: wallet.dat
  • 0x7c036:$string3: wallet.dat
  • 0x7d448:$string4: Keylog Records
  • 0x7d760:$string4: Keylog Records
  • 0x7d95e:$string5: do not script -->
  • 0x7b6cc:$string6: \pidloc.txt
  • 0x7b726:$string7: BSPLIT
  • 0x7b736:$string7: BSPLIT
0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmpHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
        • 0x7bd49:$hawkstr1: HawkEye Keylogger
        • 0x7cb76:$hawkstr1: HawkEye Keylogger
        • 0x7cea5:$hawkstr1: HawkEye Keylogger
        • 0x7d000:$hawkstr1: HawkEye Keylogger
        • 0x7d163:$hawkstr1: HawkEye Keylogger
        • 0x7d420:$hawkstr1: HawkEye Keylogger
        • 0x7b8d7:$hawkstr2: Dear HawkEye Customers!
        • 0x7cef8:$hawkstr2: Dear HawkEye Customers!
        • 0x7d04f:$hawkstr2: Dear HawkEye Customers!
        • 0x7d1b6:$hawkstr2: Dear HawkEye Customers!
        • 0x7b9f8:$hawkstr3: HawkEye Logger Details:
        Click to see the 137 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.khJdbt0clZ.exe.400000.0.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7b8e4:$key: HawkEyeKeylogger
        • 0x7db06:$salt: 099u787978786
        • 0x7bef1:$string1: HawkEye_Keylogger
        • 0x7cd30:$string1: HawkEye_Keylogger
        • 0x7da66:$string1: HawkEye_Keylogger
        • 0x7c2c6:$string2: holdermail.txt
        • 0x7c2e6:$string2: holdermail.txt
        • 0x7c208:$string3: wallet.dat
        • 0x7c220:$string3: wallet.dat
        • 0x7c236:$string3: wallet.dat
        • 0x7d648:$string4: Keylog Records
        • 0x7d960:$string4: Keylog Records
        • 0x7db5e:$string5: do not script -->
        • 0x7b8cc:$string6: \pidloc.txt
        • 0x7b926:$string7: BSPLIT
        • 0x7b936:$string7: BSPLIT
        2.2.khJdbt0clZ.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          2.2.khJdbt0clZ.exe.400000.0.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            2.2.khJdbt0clZ.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              2.2.khJdbt0clZ.exe.400000.0.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
              • 0x7bf49:$hawkstr1: HawkEye Keylogger
              • 0x7cd76:$hawkstr1: HawkEye Keylogger
              • 0x7d0a5:$hawkstr1: HawkEye Keylogger
              • 0x7d200:$hawkstr1: HawkEye Keylogger
              • 0x7d363:$hawkstr1: HawkEye Keylogger
              • 0x7d620:$hawkstr1: HawkEye Keylogger
              • 0x7bad7:$hawkstr2: Dear HawkEye Customers!
              • 0x7d0f8:$hawkstr2: Dear HawkEye Customers!
              • 0x7d24f:$hawkstr2: Dear HawkEye Customers!
              • 0x7d3b6:$hawkstr2: Dear HawkEye Customers!
              • 0x7bbf8:$hawkstr3: HawkEye Logger Details:
              Click to see the 104 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: khJdbt0clZ.exeAvira: detected
              Source: khJdbt0clZ.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1117896
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: HEUR/AGEN.1117896
              Found malware configurationShow sources
              Source: WindowsUpdate.exe.6924.12.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Source: WindowsUpdate.exe.6924.12.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 29%Perma Link
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 47%
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 29%Perma Link
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 47%
              Multi AV Scanner detection for submitted fileShow sources
              Source: khJdbt0clZ.exeVirustotal: Detection: 65%Perma Link
              Source: khJdbt0clZ.exeMetadefender: Detection: 29%Perma Link
              Source: khJdbt0clZ.exeReversingLabs: Detection: 47%
              Source: khJdbt0clZ.exeVirustotal: Detection: 65%Perma Link
              Source: khJdbt0clZ.exeMetadefender: Detection: 29%Perma Link
              Source: khJdbt0clZ.exeReversingLabs: Detection: 47%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: khJdbt0clZ.exeJoe Sandbox ML: detected
              Source: khJdbt0clZ.exeJoe Sandbox ML: detected
              Source: 2.2.khJdbt0clZ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.khJdbt0clZ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 16.3.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 16.3.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 16.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 16.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.3.khJdbt0clZ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.3.khJdbt0clZ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.3.khJdbt0clZ.exe.770000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 16.1.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.1.khJdbt0clZ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.1.khJdbt0clZ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.1.khJdbt0clZ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.1.khJdbt0clZ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 13.1.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/Inject.vcoldi
              Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 16.3.WindowsUpdate.exe.720000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 16.2.WindowsUpdate.exe.720000.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: 13.2.WindowsUpdate.exe.870000.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: 13.3.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 13.3.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 13.3.WindowsUpdate.exe.870000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 2.2.khJdbt0clZ.exe.770000.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: 2.2.khJdbt0clZ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.2.khJdbt0clZ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 16.3.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 16.3.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 16.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 16.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.3.khJdbt0clZ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.3.khJdbt0clZ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.3.khJdbt0clZ.exe.770000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 16.1.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 2.1.khJdbt0clZ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.1.khJdbt0clZ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 2.1.khJdbt0clZ.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 2.1.khJdbt0clZ.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 13.1.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/Inject.vcoldi
              Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 16.3.WindowsUpdate.exe.720000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 16.2.WindowsUpdate.exe.720000.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: 13.2.WindowsUpdate.exe.870000.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: 13.3.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
              Source: 13.3.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
              Source: 13.3.WindowsUpdate.exe.870000.1.unpackAvira: Label: TR/Inject.vcoldi
              Source: 2.2.khJdbt0clZ.exe.770000.2.unpackAvira: Label: TR/Inject.vcoldi
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: khJdbt0clZ.exeBinary or memory string: autorun.inf
              Source: khJdbt0clZ.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: khJdbt0clZ.exeBinary or memory string: autorun.inf
              Source: khJdbt0clZ.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exeBinary or memory string: autorun.inf
              Source: WindowsUpdate.exeBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpBinary or memory string: autorun.inf
              Source: WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpBinary or memory string: [autorun]
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00406EC3
              Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,4_2_00406EC3
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]13_2_049F0728
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]13_2_049F0728
              Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]16_2_049F0728

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: unknownDNS query: name: whatismyipaddress.com
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
              Source: Joe Sandbox ViewIP Address: 104.16.154.36 104.16.154.36
              Source: C:\Users\user\Desktop\khJdbt0clZ.exeCode function: 2_2_0083A186 recv,2_2_0083A186
              Source: C:\Users\user\Desktop\khJdbt0clZ.exeCode function: 2_2_0083A186 recv,2_2_0083A186
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: khJdbt0clZ.exe, WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: khJdbt0clZ.exe, WindowsUpdate.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: unknownDNS traffic detected: queries for: 172.224.8.0.in-addr.arpa
              Source: unknownDNS traffic detected: queries for: 172.224.8.0.in-addr.arpa
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: WindowsUpdate.exe, 0000000D.00000002.735237843.00000000027D1000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.782569035.00000000028D1000.00000004.00000001.sdmpString found in binary or memory: http://foo.com/fooT
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: khJdbt0clZ.exe, WindowsUpdate.exeString found in binary or memory: http://whatismyipaddress.com/
              Source: khJdbt0clZ.exe, 00000001.00000002.665547619.0000000003468000.00000040.00000001.sdmp, khJdbt0clZ.exe, 00000002.00000003.662141694.0000000000404000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.725556440.00000000034F8000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.733795690.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000F.00000002.775165746.00000000035A8000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000010.00000002.761354377.0000000000402000.00000040.00000001.sdmpString found in binary or memory: http://whatismyipaddress.com/-
              Source: khJdbt0clZ.exe, 00000002.00000003.671438689.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.E
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: khJdbt0clZ.exe, 00000002.00000003.666423676.0000000004E84000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.0000000006112000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: khJdbt0clZ.exe, 00000002.00000002.965353495.000000