Analysis Report mR3CdUkyLL

Overview

General Information

Sample Name: mR3CdUkyLL (renamed file extension from none to exe)
Analysis ID: 317952
MD5: eecf912977165e444a64805ec4652e5d
SHA1: 5bdb844b98123e144ec67a4b8c54ce99a66eca1e
SHA256: c38fcd03c34336492b502735c0704bd4685d33ab29a69358e26ed201254ea63a
Tags: HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: mR3CdUkyLL.exe.6092.1.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Source: mR3CdUkyLL.exe.6092.1.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 60%
Multi AV Scanner detection for submitted file
Source: mR3CdUkyLL.exe Metadefender: Detection: 37% Perma Link
Source: mR3CdUkyLL.exe ReversingLabs: Detection: 60%
Source: mR3CdUkyLL.exe Metadefender: Detection: 37% Perma Link
Source: mR3CdUkyLL.exe ReversingLabs: Detection: 60%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: mR3CdUkyLL.exe Joe Sandbox ML: detected
Source: mR3CdUkyLL.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.WindowsUpdate.exe.23d0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 12.2.WindowsUpdate.exe.23d0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473

Spreading:

barindex
May infect USB drives
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: mR3CdUkyLL.exe Binary or memory string: autorun.inf
Source: mR3CdUkyLL.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: mR3CdUkyLL.exe Binary or memory string: autorun.inf
Source: mR3CdUkyLL.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0047A5CC FindFirstFileA,GetLastError,FindClose, 0_2_0047A5CC
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408AA8
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00408B84 FindFirstFileA,GetLastError, 0_2_00408B84
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405B94
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0047A5CC FindFirstFileA,GetLastError,FindClose, 0_2_0047A5CC
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408AA8
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00408B84 FindFirstFileA,GetLastError, 0_2_00408B84
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405B94
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen, 3_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen, 4_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00407E0E FindFirstFileW,FindNextFileW,FindClose, 4_2_00407E0E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_0047A5CC FindFirstFileA,GetLastError,FindClose, 8_2_0047A5CC
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 8_2_00408AA8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00408B84 FindFirstFileA,GetLastError, 8_2_00408B84
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 8_2_00405B94

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: mR3CdUkyLL.exe, vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: mR3CdUkyLL.exe, vbc.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: 59.60.14.0.in-addr.arpa
Source: unknown DNS traffic detected: queries for: 59.60.14.0.in-addr.arpa
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: mR3CdUkyLL.exe, 00000001.00000003.216746551.0000000004F5D000.00000004.00000001.sdmp String found in binary or memory: http://en.wUi
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000000A.00000002.295211103.0000000002A81000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.295188375.0000000002A21000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/fooT
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: mR3CdUkyLL.exe String found in binary or memory: http://whatismyipaddress.com/
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: mR3CdUkyLL.exe, 00000001.00000003.218568151.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: mR3CdUkyLL.exe, 00000001.00000003.218875791.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comand
Source: mR3CdUkyLL.exe, 00000001.00000003.218923460.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comi
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comits
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comtig
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comues5
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000003.222511830.0000000004F81000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: mR3CdUkyLL.exe, 00000001.00000003.221669256.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: mR3CdUkyLL.exe, 00000001.00000003.221669256.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersB
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: mR3CdUkyLL.exe, 00000001.00000003.222048920.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersP
Source: mR3CdUkyLL.exe, 00000001.00000003.226579668.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersW
Source: mR3CdUkyLL.exe, 00000001.00000003.222740086.0000000004F81000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersv
Source: mR3CdUkyLL.exe, 00000001.00000003.222511830.0000000004F81000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers~
Source: mR3CdUkyLL.exe, 00000001.00000002.285417266.0000000000970000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comm1;
Source: mR3CdUkyLL.exe, 00000001.00000002.285417266.0000000000970000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.commfet
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: mR3CdUkyLL.exe, 00000001.00000003.217831744.0000000004F6A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mR3CdUkyLL.exe, 00000001.00000003.217939403.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnK
Source: mR3CdUkyLL.exe, 00000001.00000003.217939403.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnU
Source: mR3CdUkyLL.exe, 00000001.00000003.217831744.0000000004F6A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnj
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 00000004.00000002.254378292.0000000000768000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpEM3LMEM
Source: vbc.exe, 00000004.00000002.254378292.0000000000768000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpCLMEMh
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: mR3CdUkyLL.exe, 00000001.00000003.218780732.0000000004F66000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnr
Source: mR3CdUkyLL.exe, vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: mR3CdUkyLL.exe, vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000004.00000002.254391075.000000000077C000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 00000004.00000002.254391075.000000000077C000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: mR3CdUkyLL.exe, 00000001.00000003.216746551.0000000004F5D000.00000004.00000001.sdmp String found in binary or memory: http://en.wUi
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000000A.00000002.295211103.0000000002A81000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.295188375.0000000002A21000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/fooT
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: mR3CdUkyLL.exe String found in binary or memory: http://whatismyipaddress.com/
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: mR3CdUkyLL.exe, 00000001.00000003.218568151.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: mR3CdUkyLL.exe, 00000001.00000003.218875791.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comand
Source: mR3CdUkyLL.exe, 00000001.00000003.218923460.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comi
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comits
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comtig
Source: mR3CdUkyLL.exe, 00000001.00000003.219040434.0000000004F83000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comues5
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000003.222511830.0000000004F81000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: mR3CdUkyLL.exe, 00000001.00000003.221669256.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: mR3CdUkyLL.exe, 00000001.00000003.221669256.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersB
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: mR3CdUkyLL.exe, 00000001.00000003.222048920.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersP
Source: mR3CdUkyLL.exe, 00000001.00000003.226579668.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersW
Source: mR3CdUkyLL.exe, 00000001.00000003.222740086.0000000004F81000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersv
Source: mR3CdUkyLL.exe, 00000001.00000003.222511830.0000000004F81000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers~
Source: mR3CdUkyLL.exe, 00000001.00000002.285417266.0000000000970000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comm1;
Source: mR3CdUkyLL.exe, 00000001.00000002.285417266.0000000000970000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.commfet
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: mR3CdUkyLL.exe, 00000001.00000003.217831744.0000000004F6A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mR3CdUkyLL.exe, 00000001.00000003.217939403.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnK
Source: mR3CdUkyLL.exe, 00000001.00000003.217939403.0000000004F82000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnU
Source: mR3CdUkyLL.exe, 00000001.00000003.217831744.0000000004F6A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnj
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 00000004.00000002.254378292.0000000000768000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpEM3LMEM
Source: vbc.exe, 00000004.00000002.254378292.0000000000768000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpCLMEMh
Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: mR3CdUkyLL.exe, 00000001.00000002.293402217.0000000006222000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: mR3CdUkyLL.exe, 00000001.00000003.218780732.0000000004F66000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnr
Source: mR3CdUkyLL.exe, vbc.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: mR3CdUkyLL.exe, 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: mR3CdUkyLL.exe, vbc.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: vbc.exe, 00000004.00000002.254391075.000000000077C000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 00000004.00000002.254391075.000000000077C000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: mR3CdUkyLL.exe PID: 6092, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6960, type: MEMORY
Source: Yara match File source: Process Memory Space: mR3CdUkyLL.exe PID: 6124, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6696, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6500, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6944, type: MEMORY
Source: Yara match File source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\mR3CdUkyLL.exe Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\mR3CdUkyLL.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_004071F6 OpenClipboard, 0_2_004071F6
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_004071F6 OpenClipboard, 0_2_004071F6
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0042EE20 GetClipboardData,GlobalFix,GlobalUnWire, 0_2_0042EE20
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0042EE20 GetClipboardData,GlobalFix,GlobalUnWire, 0_2_0042EE20
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_004368B0 GetKeyboardState, 0_2_004368B0
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_004368B0 GetKeyboardState, 0_2_004368B0
Creates a DirectInput object (often for capturing keystrokes)
Source: WindowsUpdate.exe, 00000008.00000002.262216042.00000000007DA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: WindowsUpdate.exe, 00000008.00000002.262216042.00000000007DA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: mR3CdUkyLL.exe PID: 6092, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6960, type: MEMORY
Source: Yara match File source: Process Memory Space: mR3CdUkyLL.exe PID: 6124, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6696, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6500, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6944, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0042E44C NtdllDefWindowProc_A, 0_2_0042E44C
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_004548D4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_004548D4
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00448D28 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_00448D28
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00439760 NtdllDefWindowProc_A,GetCapture, 0_2_00439760
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0042E44C NtdllDefWindowProc_A, 0_2_0042E44C
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_004548D4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_004548D4
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00448D28 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_00448D28
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00439760 NtdllDefWindowProc_A,GetCapture, 0_2_00439760
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_00490159 NtCreateSection, 1_2_00490159
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00408836 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,FreeLibrary, 4_2_00408836
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_0042E44C NtdllDefWindowProc_A, 8_2_0042E44C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_004548D4 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 8_2_004548D4
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00448D28 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 8_2_00448D28
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00439760 NtdllDefWindowProc_A,GetCapture, 8_2_00439760
Detected potential crypto function
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0044E82C 0_2_0044E82C
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00448D28 0_2_00448D28
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0046CE14 0_2_0046CE14
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00473154 0_2_00473154
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00413434 0_2_00413434
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0044E82C 0_2_0044E82C
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00448D28 0_2_00448D28
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_0046CE14 0_2_0046CE14
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00473154 0_2_00473154
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00413434 0_2_00413434
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0040D426 1_2_0040D426
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0040D523 1_2_0040D523
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0041D5AE 1_2_0041D5AE
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_00417646 1_2_00417646
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_004429BE 1_2_004429BE
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_00446AF4 1_2_00446AF4
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0046ABFC 1_2_0046ABFC
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_00463C4D 1_2_00463C4D
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_00463CBE 1_2_00463CBE
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0040ED03 1_2_0040ED03
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_00463D2F 1_2_00463D2F
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_00463DC0 1_2_00463DC0
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0040CF92 1_2_0040CF92
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0041AFA6 1_2_0041AFA6
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0048F13D 1_2_0048F13D
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_00489976 1_2_00489976
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_004F9017 1_2_004F9017
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_004F90A8 1_2_004F90A8
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_004A227A 1_2_004A227A
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_004B028E 1_2_004B028E
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 1_2_0043C7BC 1_2_0043C7BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00404DDB 3_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_0040BD8A 3_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00404E4C 3_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00404EBD 3_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 3_2_00404F4E 3_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00404419 4_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00404516 4_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00413538 4_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_004145A1 4_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_0040E639 4_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_004337AF 4_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_004399B1 4_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_0043DAE7 4_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00405CF6 4_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00403F85 4_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00411F99 4_2_00411F99
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_0044E82C 8_2_0044E82C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00448D28 8_2_00448D28
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_0046CE14 8_2_0046CE14
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00473154 8_2_00473154
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 8_2_00413434 8_2_00413434
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: String function: 004043EC appears 77 times
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: String function: 004039C8 appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: String function: 00411538 appears 35 times
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: String function: 004043EC appears 77 times
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: String function: 0044BA9D appears 35 times
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: String function: 004039C8 appears 31 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 004043EC appears 77 times
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: String function: 004039C8 appears 31 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336
PE file contains strange resources
Source: mR3CdUkyLL.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mR3CdUkyLL.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: mR3CdUkyLL.exe, 00000000.00000002.215336133.0000000002A92000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.214630392.0000000002180000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe Binary or memory string: OriginalFilename vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe Binary or memory string: OriginalFileName vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.285598715.0000000002332000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.295145140.0000000006DE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215336133.0000000002A92000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.214630392.0000000002180000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe Binary or memory string: OriginalFilename vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe Binary or memory string: OriginalFileName vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.285598715.0000000002332000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs mR3CdUkyLL.exe
Source: mR3CdUkyLL.exe, 00000001.00000002.295145140.0000000006DE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs mR3CdUkyLL.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Yara signature match
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285613503.0000000002342000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.290971466.0000000002282000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285461396.0000000002220000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.284300144.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.284328493.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000C.00000002.281646219.00000000029B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000008.00000002.264927894.0000000002AB7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000001.214171189.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000001.279359666.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.291629122.00000000022F2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.288312296.0000000002262000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.287562620.00000000009B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.292187107.0000000002362000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.284088931.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.284152713.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.285532239.00000000022B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.284081109.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215270566.0000000002A12000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.287736407.0000000002A51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.a30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2220000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.9b0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.a30000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.1.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.9b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs Base64 encoded string: 'OL8EkrOJRmtrcbU9/f/8y2sbqfxyekV2FeqOgHm1sKEJylZb4gslDfBMlkCNnwnI', 'ovkIsNoxWOXUV2FmDx8jsJc/wPVOcuTCWVNH2VFBVTV2JP2ews8hUh9Usbf54Glv', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.2360000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.WindowsUpdate.exe.2a20000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.WindowsUpdate.exe.2280000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.2260000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 12.2.WindowsUpdate.exe.29b0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.mR3CdUkyLL.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.22f0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@16/13@3/3
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00422788 GetLastError,FormatMessageA, 0_2_00422788
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00422788 GetLastError,FormatMessageA, 0_2_00422788
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00408D82 GetDiskFreeSpaceA, 0_2_00408D82
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00408D82 GetDiskFreeSpaceA, 0_2_00408D82
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 4_2_00411196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Code function: 4_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle, 4_2_00411196
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00418974 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_00418974
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Code function: 0_2_00418974 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_00418974
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File created: C:\Users\user\AppData\Roaming\pid.txt Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6092
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6092
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER49BC.tmp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER49BC.tmp Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: mR3CdUkyLL.exe, vbc.exe, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: mR3CdUkyLL.exe Metadefender: Detection: 37%
Source: mR3CdUkyLL.exe ReversingLabs: Detection: 60%
Source: mR3CdUkyLL.exe Metadefender: Detection: 37%
Source: mR3CdUkyLL.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File read: C:\Users\user\Desktop\mR3CdUkyLL.exe Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe File read: C:\Users\user\Desktop\mR3CdUkyLL.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'
Source: unknown Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 2348
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe' Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336 Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\Desktop\mR3CdUkyLL.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'
Source: unknown Process created: C:\Users\user\Desktop\mR3CdUkyLL.exe 'C:\Users\user\Desktop\mR3CdUkyLL.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2336
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\