Loading ...

Play interactive tourEdit tour

Analysis Report mR3CdUkyLL

Overview

General Information

Sample Name:mR3CdUkyLL (renamed file extension from none to exe)
Analysis ID:317952
MD5:eecf912977165e444a64805ec4652e5d
SHA1:5bdb844b98123e144ec67a4b8c54ce99a66eca1e
SHA256:c38fcd03c34336492b502735c0704bd4685d33ab29a69358e26ed201254ea63a
Tags:HawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • mR3CdUkyLL.exe (PID: 6124 cmdline: 'C:\Users\user\Desktop\mR3CdUkyLL.exe' MD5: EECF912977165E444A64805EC4652E5D)
    • mR3CdUkyLL.exe (PID: 6092 cmdline: 'C:\Users\user\Desktop\mR3CdUkyLL.exe' MD5: EECF912977165E444A64805EC4652E5D)
      • dw20.exe (PID: 6168 cmdline: dw20.exe -x -s 2336 MD5: 8D10DA8A3E11747E51F23C882C22BBC3)
      • vbc.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • vbc.exe (PID: 6260 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: C63ED21D5706A527419C9FBD730FFB2E)
      • WerFault.exe (PID: 6392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 2348 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • WindowsUpdate.exe (PID: 6500 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EECF912977165E444A64805EC4652E5D)
    • WindowsUpdate.exe (PID: 6696 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EECF912977165E444A64805EC4652E5D)
  • WindowsUpdate.exe (PID: 6944 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EECF912977165E444A64805EC4652E5D)
    • WindowsUpdate.exe (PID: 6960 cmdline: 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe' MD5: EECF912977165E444A64805EC4652E5D)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
      00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
      • 0x7b6b7:$key: HawkEyeKeylogger
      • 0x7d905:$salt: 099u787978786
      • 0x7bcf8:$string1: HawkEye_Keylogger
      • 0x7cb37:$string1: HawkEye_Keylogger
      • 0x7d865:$string1: HawkEye_Keylogger
      • 0x7c0cd:$string2: holdermail.txt
      • 0x7c0ed:$string2: holdermail.txt
      • 0x7c00f:$string3: wallet.dat
      • 0x7c027:$string3: wallet.dat
      • 0x7c03d:$string3: wallet.dat
      • 0x7d429:$string4: Keylog Records
      • 0x7d741:$string4: Keylog Records
      • 0x7d95d:$string5: do not script -->
      • 0x7b69f:$string6: \pidloc.txt
      • 0x7b72d:$string7: BSPLIT
      • 0x7b73d:$string7: BSPLIT
      00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
        00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
          Click to see the 142 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.mR3CdUkyLL.exe.2220000.1.unpackRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
          • 0x79ab7:$key: HawkEyeKeylogger
          • 0x7bd05:$salt: 099u787978786
          • 0x7a0f8:$string1: HawkEye_Keylogger
          • 0x7af37:$string1: HawkEye_Keylogger
          • 0x7bc65:$string1: HawkEye_Keylogger
          • 0x7a4cd:$string2: holdermail.txt
          • 0x7a4ed:$string2: holdermail.txt
          • 0x7a40f:$string3: wallet.dat
          • 0x7a427:$string3: wallet.dat
          • 0x7a43d:$string3: wallet.dat
          • 0x7b829:$string4: Keylog Records
          • 0x7bb41:$string4: Keylog Records
          • 0x7bd5d:$string5: do not script -->
          • 0x79a9f:$string6: \pidloc.txt
          • 0x79b2d:$string7: BSPLIT
          • 0x79b3d:$string7: BSPLIT
          1.2.mR3CdUkyLL.exe.2220000.1.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
            1.2.mR3CdUkyLL.exe.2220000.1.unpackJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
              1.2.mR3CdUkyLL.exe.2220000.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                1.2.mR3CdUkyLL.exe.2220000.1.unpackHawkeyedetect HawkEye in memoryJPCERT/CC Incident Response Group
                • 0x7a150:$hawkstr1: HawkEye Keylogger
                • 0x7af7d:$hawkstr1: HawkEye Keylogger
                • 0x7b2ac:$hawkstr1: HawkEye Keylogger
                • 0x7b407:$hawkstr1: HawkEye Keylogger
                • 0x7b56a:$hawkstr1: HawkEye Keylogger
                • 0x7b801:$hawkstr1: HawkEye Keylogger
                • 0x79cde:$hawkstr2: Dear HawkEye Customers!
                • 0x7b2ff:$hawkstr2: Dear HawkEye Customers!
                • 0x7b456:$hawkstr2: Dear HawkEye Customers!
                • 0x7b5bd:$hawkstr2: Dear HawkEye Customers!
                • 0x79dff:$hawkstr3: HawkEye Logger Details:
                Click to see the 103 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: mR3CdUkyLL.exe.6092.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                Source: mR3CdUkyLL.exe.6092.1.memstrMalware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 37%Perma Link
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 60%
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeMetadefender: Detection: 37%Perma Link
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeReversingLabs: Detection: 60%
                Multi AV Scanner detection for submitted fileShow sources
                Source: mR3CdUkyLL.exeMetadefender: Detection: 37%Perma Link
                Source: mR3CdUkyLL.exeReversingLabs: Detection: 60%
                Source: mR3CdUkyLL.exeMetadefender: Detection: 37%Perma Link
                Source: mR3CdUkyLL.exeReversingLabs: Detection: 60%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: mR3CdUkyLL.exeJoe Sandbox ML: detected
                Source: mR3CdUkyLL.exeJoe Sandbox ML: detected
                Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 13.2.WindowsUpdate.exe.9b0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 10.2.WindowsUpdate.exe.a30000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 8.2.WindowsUpdate.exe.2a20000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 8.2.WindowsUpdate.exe.2a20000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.2260000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.2260000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 10.2.WindowsUpdate.exe.2360000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 10.2.WindowsUpdate.exe.2360000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.1.mR3CdUkyLL.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.1.mR3CdUkyLL.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 10.2.WindowsUpdate.exe.2280000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 10.2.WindowsUpdate.exe.2280000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 12.2.WindowsUpdate.exe.29b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 12.2.WindowsUpdate.exe.29b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 10.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 10.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.mR3CdUkyLL.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.mR3CdUkyLL.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 12.2.WindowsUpdate.exe.23d0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 13.2.WindowsUpdate.exe.22f0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.22f0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.mR3CdUkyLL.exe.29c0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 13.2.WindowsUpdate.exe.9b0000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 10.2.WindowsUpdate.exe.a30000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 8.2.WindowsUpdate.exe.2a20000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 8.2.WindowsUpdate.exe.2a20000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.mR3CdUkyLL.exe.22b0000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.2260000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.2260000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 10.2.WindowsUpdate.exe.2360000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 10.2.WindowsUpdate.exe.2360000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.mR3CdUkyLL.exe.2220000.1.unpackAvira: Label: TR/Inject.vcoldi
                Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.mR3CdUkyLL.exe.2340000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 0.2.mR3CdUkyLL.exe.2a10000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.1.mR3CdUkyLL.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.1.mR3CdUkyLL.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 10.2.WindowsUpdate.exe.2280000.2.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 10.2.WindowsUpdate.exe.2280000.2.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 12.2.WindowsUpdate.exe.29b0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 12.2.WindowsUpdate.exe.29b0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 10.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 10.2.WindowsUpdate.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 1.2.mR3CdUkyLL.exe.400000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 1.2.mR3CdUkyLL.exe.400000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: 12.2.WindowsUpdate.exe.23d0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 13.2.WindowsUpdate.exe.22f0000.3.unpackAvira: Label: TR/AD.MExecute.lzrac
                Source: 13.2.WindowsUpdate.exe.22f0000.3.unpackAvira: Label: SPR/Tool.MailPassView.473
                Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: mR3CdUkyLL.exeBinary or memory string: autorun.inf
                Source: mR3CdUkyLL.exeBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: mR3CdUkyLL.exeBinary or memory string: autorun.inf
                Source: mR3CdUkyLL.exeBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmpBinary or memory string: autorun.inf
                Source: WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmpBinary or memory string: [autorun]
                Source: C:\Users\user\Desktop\mR3CdUkyLL.exeCode function: 0_2_0047A5CC FindFirstFileA,GetLastError,FindClose,0_2_0047A5CC
                Source: C:\Users\user\Desktop\mR3CdUkyLL.exeCode function: 0_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408AA8
                Source: C:\Users\user\Desktop\mR3CdUkyLL.exeCode function: 0_2_00408B84 FindFirstFileA,GetLastError,0_2_00408B84
                Source: C:\Users\user\Desktop\mR3CdUkyLL.exeCode function: 0_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B94
                Source: C:\Users\user\Desktop\mR3CdUkyLL.exeCode function: 0_2_0047A5CC FindFirstFileA,GetLastError,FindClose,0_2_0047A5CC
                Source: C:\Users\user\Desktop\mR3CdUkyLL.exeCode function: 0_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408AA8
                Source: C:\Users\user\Desktop\mR3CdUkyLL.exeCode function: 0_2_00408B84 FindFirstFileA,GetLastError,0_2_00408B84
                Source: C:\Users\user\Desktop\mR3CdUkyLL.exeCode function: 0_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405B94
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 3_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,3_2_00406EC3
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,4_2_00408441
                Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeCode function: 4_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,4_2_00407E0E
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_0047A5CC FindFirstFileA,GetLastError,FindClose,8_2_0047A5CC
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00408AA8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,8_2_00408AA8
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00408B84 FindFirstFileA,GetLastError,8_2_00408B84
                Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeCode function: 8_2_00405B94 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,8_2_00405B94

                Networking:

                barindex
                May check the online IP address of the machineShow sources
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: unknownDNS query: name: whatismyipaddress.com
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: mR3CdUkyLL.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
                Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: mR3CdUkyLL.exe, 00000000.00000002.215363320.0000000002AA7000.00000040.00000001.sdmp, mR3CdUkyLL.exe, 00000001.00000002.291517434.0000000003A51000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.254178019.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000008.00000002.264075129.0000000002A22000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000A.00000002.287705631.0000000000A30000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000C.00000002.281779218.0000000002A47000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.284301101.0000000000497000.00000040.00000001.sdmpString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: mR3CdUkyLL.exe, vbc.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: vbc.exe, 00000004.00000003.254000875.0000000000A4C000.00000004.00000001.sdmpString found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+downlo