Analysis Report mR3CdUkyLL

Overview

General Information

Sample Name:	mR3CdUkyLL (renamed file extension from none to exe)
Analysis ID:	317952
MD5:	eecf912977165e444a64805ec4652e5d
SHA1:	5bdb844b98123e144ec67a4b8c54ce99a66eca1e
SHA256:	c38fcd03c34336492b502735c0704bd4685d33ab29a69358e26ed201254ea63a
Tags:	HawkEye
Most interesting Screenshot:

Detection

HawkEye MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected HawkEye Rat

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Yara detected MailPassView

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to detect sleep reduction / modifications

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains strange resources

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: mR3CdUkyLL.exe.6092.1.memstr	Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Source: mR3CdUkyLL.exe.6092.1.memstr	Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Metadefender: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Metadefender: Detection: 37%	Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	ReversingLabs: Detection: 60%

Multi AV Scanner detection for submitted file

Source: mR3CdUkyLL.exe	Metadefender: Detection: 37%	Perma Link
Source: mR3CdUkyLL.exe	ReversingLabs: Detection: 60%
Source: mR3CdUkyLL.exe	Metadefender: Detection: 37%	Perma Link
Source: mR3CdUkyLL.exe	ReversingLabs: Detection: 60%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: mR3CdUkyLL.exe	Joe Sandbox ML: detected
Source: mR3CdUkyLL.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.WindowsUpdate.exe.23d0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack	Avira: Label: TR/Inject.vcoldi
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack	Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.WindowsUpdate.exe.23d0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack	Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack	Avira: Label: SPR/Tool.MailPassView.473

Spreading:

May infect USB drives

Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: mR3CdUkyLL.exe	Binary or memory string: autorun.inf
Source: mR3CdUkyLL.exe	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: mR3CdUkyLL.exe	Binary or memory string: autorun.inf
Source: mR3CdUkyLL.exe	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: [autorun]

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0047A5CC FindFirstFileA,GetLastError,FindClose,	0_2_0047A5CC
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00408AA8
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00408B84 FindFirstFileA,GetLastError,	0_2_00408B84
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405B94
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0047A5CC FindFirstFileA,GetLastError,FindClose,	0_2_0047A5CC
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_00408AA8
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00408B84 FindFirstFileA,GetLastError,	0_2_00408B84
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405B94
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	3_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	4_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	4_2_00407E0E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0047A5CC FindFirstFileA,GetLastError,FindClose,	8_2_0047A5CC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	8_2_00408AA8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00408B84 FindFirstFileA,GetLastError,	8_2_00408B84
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_00405B94

Networking:

May check the online IP address of the machine

Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.16.155.36 104.16.155.36
Source: Joe Sandbox View	IP Address: 104.16.155.36 104.16.155.36

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: mR3CdUkyLL.exe, vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmp	String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmp	String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: mR3CdUkyLL.exe, vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmp	String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmp	String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)

Source: unknown	DNS traffic detected: queries for: 59.60.14.0.in-addr.arpa
Source: unknown	DNS traffic detected: queries for: 59.60.14.0.in-addr.arpa

Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: mR3CdUkyLL.exe, 00000001.00000003.216746551.0000000004F5D000.00000004.00000001.sdmp	String found in binary or memory: http://en.wUi
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000000A.00000002.295211103.0000000002A81000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.295188375.0000000002A21000.00000004.00000001.sdmp	String found in binary or memory: http://foo.com/fooT
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: mR3CdUkyLL.exe	String found in binary or memory: http://whatismyipaddress.com/
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: mR3CdUkyLL.exe, 00000001.00000003.218568151.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: mR3CdUkyLL.exe, 00000001.00000003.218875791.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comand
Source: mR3CdUkyLL.exe, 00000001.00000003.218923460.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comits
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comues5
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000003.222511830.0000000004F81000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mR3CdUkyLL.exe, 00000001.00000003.221669256.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mR3CdUkyLL.exe, 00000001.00000003.221669256.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersB
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: mR3CdUkyLL.exe, 00000001.00000003.222048920.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: mR3CdUkyLL.exe, 00000001.00000003.226579668.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersW
Source: mR3CdUkyLL.exe, 00000001.00000003.222740086.0000000004F81000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersv
Source: mR3CdUkyLL.exe, 00000001.00000003.222511830.0000000004F81000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: mR3CdUkyLL.exe, 00000001.00000002.285417266.0000000000970000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm1;
Source: mR3CdUkyLL.exe, 00000001.00000002.285417266.0000000000970000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.commfet
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: mR3CdUkyLL.exe, 00000001.00000003.217831744.0000000004F6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mR3CdUkyLL.exe, 00000001.00000003.217939403.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnK
Source: mR3CdUkyLL.exe, 00000001.00000003.217939403.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnU
Source: mR3CdUkyLL.exe, 00000001.00000003.217831744.0000000004F6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnj
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 00000004.00000002.254378292.0000000000768000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpEM3LMEM
Source: vbc.exe, 00000004.00000002.254378292.0000000000768000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpCLMEMh
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mR3CdUkyLL.exe, 00000001.00000003.218780732.0000000004F66000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnr
Source: mR3CdUkyLL.exe, vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: mR3CdUkyLL.exe, vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000004.00000002.254391075.000000000077C000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 00000004.00000002.254391075.000000000077C000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: mR3CdUkyLL.exe, 00000001.00000003.216746551.0000000004F5D000.00000004.00000001.sdmp	String found in binary or memory: http://en.wUi
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000000A.00000002.295211103.0000000002A81000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.295188375.0000000002A21000.00000004.00000001.sdmp	String found in binary or memory: http://foo.com/fooT
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: mR3CdUkyLL.exe	String found in binary or memory: http://whatismyipaddress.com/
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: mR3CdUkyLL.exe, 00000001.00000003.218568151.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: mR3CdUkyLL.exe, 00000001.00000003.218875791.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comand
Source: mR3CdUkyLL.exe, 00000001.00000003.218923460.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comi
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comits
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtig
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comues5
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000003.222511830.0000000004F81000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mR3CdUkyLL.exe, 00000001.00000003.221669256.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mR3CdUkyLL.exe, 00000001.00000003.221669256.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersB
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: mR3CdUkyLL.exe, 00000001.00000003.222048920.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersP
Source: mR3CdUkyLL.exe, 00000001.00000003.226579668.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersW
Source: mR3CdUkyLL.exe, 00000001.00000003.222740086.0000000004F81000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersv
Source: mR3CdUkyLL.exe, 00000001.00000003.222511830.0000000004F81000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: mR3CdUkyLL.exe, 00000001.00000002.285417266.0000000000970000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comm1;
Source: mR3CdUkyLL.exe, 00000001.00000002.285417266.0000000000970000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.commfet
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: mR3CdUkyLL.exe, 00000001.00000003.217831744.0000000004F6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mR3CdUkyLL.exe, 00000001.00000003.217939403.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnK
Source: mR3CdUkyLL.exe, 00000001.00000003.217939403.0000000004F82000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnU
Source: mR3CdUkyLL.exe, 00000001.00000003.217831744.0000000004F6A000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnj
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 00000004.00000002.254378292.0000000000768000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpEM3LMEM
Source: vbc.exe, 00000004.00000002.254378292.0000000000768000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpCLMEMh
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mR3CdUkyLL.exe, 00000001.00000003.218780732.0000000004F66000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnr
Source: mR3CdUkyLL.exe, vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp	String found in binary or memory: https://whatismyipaddress.com/
Source: mR3CdUkyLL.exe, vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000004.00000002.254391075.000000000077C000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 00000004.00000002.254391075.000000000077C000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected HawkEye Keylogger

Source: Yara match	File source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mR3CdUkyLL.exe PID: 6092, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6960, type: MEMORY
Source: Yara match	File source: Process Memory Space: mR3CdUkyLL.exe PID: 6124, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6500, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6944, type: MEMORY
Source: Yara match	File source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	.Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs	.Net Code: HookKeyboard

Installs a global keyboard hook

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\mR3CdUkyLL.exe			Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\mR3CdUkyLL.exe			Jump to behavior

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_004071F6 OpenClipboard,		0_2_004071F6
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_004071F6 OpenClipboard,		0_2_004071F6

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0042EE20 GetClipboardData,GlobalFix,GlobalUnWire,		0_2_0042EE20
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0042EE20 GetClipboardData,GlobalFix,GlobalUnWire,		0_2_0042EE20

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_004368B0 GetKeyboardState,		0_2_004368B0
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_004368B0 GetKeyboardState,		0_2_004368B0

Creates a DirectInput object (often for capturing keystrokes)

Source: WindowsUpdate.exe, 00000008.00000002.262216042.00000000007DA000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: WindowsUpdate.exe, 00000008.00000002.262216042.00000000007DA000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

Yara detected Keylogger Generic

Source: Yara match	File source: Process Memory Space: mR3CdUkyLL.exe PID: 6092, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6960, type: MEMORY
Source: Yara match	File source: Process Memory Space: mR3CdUkyLL.exe PID: 6124, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6696, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6500, type: MEMORY
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 6944, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0042E44C NtdllDefWindowProc_A,	0_2_0042E44C
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_004548D4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_004548D4
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00448D28 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_00448D28
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00439760 NtdllDefWindowProc_A,GetCapture,	0_2_00439760
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0042E44C NtdllDefWindowProc_A,	0_2_0042E44C
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_004548D4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_004548D4
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00448D28 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_00448D28
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00439760 NtdllDefWindowProc_A,GetCapture,	0_2_00439760
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_00490159 NtCreateSection,	1_2_00490159
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary,	4_2_00408836
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0042E44C NtdllDefWindowProc_A,	8_2_0042E44C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_004548D4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	8_2_004548D4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00448D28 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,	8_2_00448D28
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00439760 NtdllDefWindowProc_A,GetCapture,	8_2_00439760

Detected potential crypto function

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0044E82C	0_2_0044E82C
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00448D28	0_2_00448D28
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0046CE14	0_2_0046CE14
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00473154	0_2_00473154
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00413434	0_2_00413434
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0044E82C	0_2_0044E82C
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00448D28	0_2_00448D28
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_0046CE14	0_2_0046CE14
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00473154	0_2_00473154
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00413434	0_2_00413434
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0040D426	1_2_0040D426
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0040D523	1_2_0040D523
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0041D5AE	1_2_0041D5AE
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_00417646	1_2_00417646
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_004429BE	1_2_004429BE
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_00446AF4	1_2_00446AF4
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0046ABFC	1_2_0046ABFC
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_00463C4D	1_2_00463C4D
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_00463CBE	1_2_00463CBE
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0040ED03	1_2_0040ED03
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_00463D2F	1_2_00463D2F
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_00463DC0	1_2_00463DC0
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0040CF92	1_2_0040CF92
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0041AFA6	1_2_0041AFA6
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0048F13D	1_2_0048F13D
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_00489976	1_2_00489976
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_004F9017	1_2_004F9017
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_004F90A8	1_2_004F90A8
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_004A227A	1_2_004A227A
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_004B028E	1_2_004B028E
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 1_2_0043C7BC	1_2_0043C7BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00404DDB	3_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_0040BD8A	3_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00404E4C	3_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00404EBD	3_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 3_2_00404F4E	3_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00404419	4_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00404516	4_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00413538	4_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_004145A1	4_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_0040E639	4_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_004337AF	4_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_004399B1	4_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_0043DAE7	4_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00405CF6	4_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00403F85	4_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00411F99	4_2_00411F99
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0044E82C	8_2_0044E82C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00448D28	8_2_00448D28
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_0046CE14	8_2_0046CE14
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00473154	8_2_00473154
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 8_2_00413434	8_2_00413434

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: String function: 004043EC appears 77 times
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: String function: 004039C8 appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: String function: 004043EC appears 77 times
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: String function: 0044BA9D appears 35 times
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: String function: 004039C8 appears 31 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: String function: 004043EC appears 77 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: String function: 004039C8 appears 31 times

One or more processes crash

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336

PE file contains strange resources

Source: mR3CdUkyLL.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mR3CdUkyLL.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.1.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: mR3CdUkyLL.exe, 00000000.00000002.215336133.0000000002A92000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.214630392.0000000002180000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe	Binary or memory string: OriginalFilename vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe	Binary or memory string: OriginalFileName vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.285598715.0000000002332000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.295145140.0000000006DE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215336133.0000000002A92000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.214630392.0000000002180000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe	Binary or memory string: OriginalFilename vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe	Binary or memory string: OriginalFileName vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.285598715.0000000002332000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePhulli.exe0 vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.295145140.0000000006DE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs mR3CdUkyLL.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior

Yara signature match

Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs	Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='

Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@16/13@3/3

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00422788 GetLastError,FormatMessageA,		0_2_00422788
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00422788 GetLastError,FormatMessageA,		0_2_00422788

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00408D82 GetDiskFreeSpaceA,		0_2_00408D82
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00408D82 GetDiskFreeSpaceA,		0_2_00408D82

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,		4_2_00411196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 4_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,		4_2_00411196

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00418974 FindResourceA,LoadResource,SizeofResource,LockResource,		0_2_00418974
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Code function: 0_2_00418974 FindResourceA,LoadResource,SizeofResource,LockResource,		0_2_00418974

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File created: C:\Users\user\AppData\Roaming\pid.txt			Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File created: C:\Users\user\AppData\Roaming\pid.txt			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6092
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6092
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER49BC.tmp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER49BC.tmp			Jump to behavior

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	System information queried: HandleInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	System information queried: HandleInformation			Jump to behavior

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers			Jump to behavior

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: mR3CdUkyLL.exe	Metadefender: Detection: 37%
Source: mR3CdUkyLL.exe	ReversingLabs: Detection: 60%
Source: mR3CdUkyLL.exe	Metadefender: Detection: 37%
Source: mR3CdUkyLL.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File read: C:\Users\user\Desktop\mR3CdUkyLL.exe			Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	File read: C:\Users\user\Desktop\mR3CdUkyLL.exe			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'
Source: unknown	Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 2348
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'	Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown	Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'
Source: unknown	Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\

Analysis Report mR3CdUkyLL

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary: