Analysis Report Sample_B.exe

Overview

General Information

Sample Name: Sample_B.exe
Analysis ID: 354163
MD5: 78300bd48d50fa7e5f3f6a933cc5f739
SHA1: 03157f27b0d5141465adeeaf9b3a7b5f3e60f614
SHA256: 424212e76c0e660538ee49126079980b34f4dd343e002004f67ea71a937af5e3

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Sample_B.exe Avira: detected
Source: Sample_B.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Found malware configuration
Source: Windows Update.exe.2360.2.memstr Malware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Sample_B.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.Sample_B.exe.bc0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.0.Sample_B.exe.bc0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.2.Windows Update.exe.ee0000.1.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.Windows Update.exe.ee0000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.Sample_B.exe.bc0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.Sample_B.exe.bc0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.0.Windows Update.exe.ee0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.0.Windows Update.exe.ee0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473

Compliance:

barindex
Uses 32bit PE files
Source: Sample_B.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\Sample_B.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Sample_B.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: pC:\Win.pdbassembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: F^symbols\dll\mscorlib.pdb^ source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: .pdb; source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: ^indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbs\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb8 source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Sample_B.exe
Source: Binary string: dows\mC:\Users\user\AppData\Roaming__b77a5c561934e089\mscorlib.pdbne_d08cc06a442b34fc source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Sample_B.exe
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Sample_B.exe
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbFP source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: ^T3/pC:\Windows\mscorlib.pdb4 source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2111699782.0000000000E70000.00000002.00000001.sdmp

Spreading:

barindex
May infect USB drives
Source: Sample_B.exe Binary or memory string: autorun.inf
Source: Sample_B.exe Binary or memory string: [autorun]
Source: Windows Update.exe Binary or memory string: [autorun]
Source: Windows Update.exe Binary or memory string: autorun.inf
Source: Sample_B.exe Binary or memory string: autorun.inf
Source: Sample_B.exe Binary or memory string: [autorun]

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 0_2_005514C0
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 0_2_00550728
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 0_2_005517F8
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 4x nop then jmp 00551A73h 0_2_005519B0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 2_2_004E7810
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E6059
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004EC627
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E9C3F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then call 004E1B20h 2_2_004E9634
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E9634
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then mov esp, ebp 2_2_004E48C7
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E14C0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E5CEE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E98F9
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004EA2F0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004EC48F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then call 004E1B20h 2_2_004E954A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E954A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E0728
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E6731
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004EA3DA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then call 004E1B20h 2_2_004E8DE8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E8DE8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 2_2_004E17F8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then jmp 004E1A73h 2_2_004E19A0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then jmp 004E1A73h 2_2_004E19B0

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 66.102.1.108:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
Source: Joe Sandbox View IP Address: 66.102.1.108 66.102.1.108
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 66.102.1.108:587
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0011A09A recv, 2_2_0011A09A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: Sample_B.exe String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Sample_B.exe String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: Sample_B.exe, 00000000.00000002.2075873795.00000000004C2000.00000004.00000020.sdmp String found in binary or memory: WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Sample_B.exe, 00000000.00000002.2075873795.00000000004C2000.00000004.00000020.sdmp String found in binary or memory: WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Sample_B.exe, Windows Update.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: 163.190.5.0.in-addr.arpa
Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: Sample_B.exe String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.3.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: Sample_B.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: Sample_B.exe, Windows Update.exe String found in binary or memory: http://whatismyipaddress.com/
Source: Sample_B.exe String found in binary or memory: http://whatismyipaddress.com/-
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: Sample_B.exe String found in binary or memory: http://www.nirsoft.net/
Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: Sample_B.exe, Windows Update.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: Sample_B.exe, Windows Update.exe String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: Sample_B.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: Sample_B.exe, Form1.cs .Net Code: HookKeyboard
Source: Windows Update.exe.0.dr, Form1.cs .Net Code: HookKeyboard
Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: WindowsUpdate.exe.2.dr, Form1.cs .Net Code: HookKeyboard
Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs .Net Code: HookKeyboard
Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: Sample_B.exe, type: SAMPLE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Sample_B.exe, type: SAMPLE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\Sample_B.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00646A6A NtResumeThread, 2_2_00646A6A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00645172 NtQuerySystemInformation, 2_2_00645172
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00646B12 NtWriteVirtualMemory, 2_2_00646B12
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00646AE5 NtWriteVirtualMemory, 2_2_00646AE5
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00645145 NtQuerySystemInformation, 2_2_00645145
Detected potential crypto function
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BCD426 0_2_00BCD426
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BDD5AE 0_2_00BDD5AE
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BCD523 0_2_00BCD523
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BCD6C4 0_2_00BCD6C4
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BD7646 0_2_00BD7646
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C06AF4 0_2_00C06AF4
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C2ABFC 0_2_00C2ABFC
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C23CBE 0_2_00C23CBE
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C23C4D 0_2_00C23C4D
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C23DC0 0_2_00C23DC0
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BCED03 0_2_00BCED03
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C23D2F 0_2_00C23D2F
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BDAFA6 0_2_00BDAFA6
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BCCF92 0_2_00BCCF92
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00551DB8 0_2_00551DB8
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00BFC7BC 0_2_00BFC7BC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F103C0 2_2_00F103C0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00EED426 2_2_00EED426
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00EFD5AE 2_2_00EFD5AE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00EED523 2_2_00EED523
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00EED6C4 2_2_00EED6C4
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00EF7646 2_2_00EF7646
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F229BE 2_2_00F229BE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F26AF4 2_2_00F26AF4
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F4ABFC 2_2_00F4ABFC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F43CBE 2_2_00F43CBE
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F43C4D 2_2_00F43C4D
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F43DC0 2_2_00F43DC0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F43D2F 2_2_00F43D2F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00EEED03 2_2_00EEED03
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00EFAFA6 2_2_00EFAFA6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00EECF92 2_2_00EECF92
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_001A638C 2_2_001A638C
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004E6068 2_2_004E6068
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004E7200 2_2_004E7200
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004E8A90 2_2_004E8A90
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004E5778 2_2_004E5778
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004E8DE8 2_2_004E8DE8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F1C7BC 2_2_00F1C7BC
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Sample_B.exe Code function: String function: 00C0BA9D appears 36 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: String function: 00F2BA9D appears 36 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708
PE file contains strange resources
Source: Sample_B.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Sample_B.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Sample_B.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Sample_B.exe Binary or memory string: OriginalFilename vs Sample_B.exe
Source: Sample_B.exe Binary or memory string: OriginalFileName vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewersvcj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewbengine.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepuiapi.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWfsR.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewmplayer.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsfltr32.acm.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameaudiosrv.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebatt.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMDMINST.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWCNCSVC.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePOWRPROF.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAUTOPLAY.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedmdskres.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamegpscript.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesdcpl.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesrchadmin.dll.mui@ vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWPDSp.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameVfWWDM32.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUsbui.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameERCj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamecscsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameehRecvr.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamessdpsrv.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXE.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenetcfgx.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsfeedsbs.dll.muiD vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameunregmp2.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWUDFSvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWPCCPL.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameTrustedInstaller.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUxTheme.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenetprof.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebattc.sys.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewevtsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameappmgmts.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesti_ci.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamefaultrep.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewdc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameqwavedrv.sys.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewucltux.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameunpnhost.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameappinfo.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemidimap.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemmcndmgr.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAccessibilityCpl.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSRATING.DLL.MUID vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameoleres.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewmploc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameACCTRES.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameOLEACCRC.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameIPBusEnum.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamerstrui.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameieinstal.exe.muiD vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewmisvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSRVSVC.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedeskadp.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePowerCPL.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsadp32.acm.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSRV.SYS.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameiccvid.drv.muiN vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamegpapi.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebluetooth.cpl.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewpd_ci.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameINETRES.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSWPRV.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePhotoScreensaver.scr.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameATL.DLL.MUIR vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemmcbase.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamelhdfrgui.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePDH.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWMPNSSCI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamescsiport.sys.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAVIFIL32.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemmci.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametermsrv.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameBubblesj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameIE4UINIT.EXE.MUID vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameiedkcs32.dll.muiD vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWinMail.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewevtutil.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameTBSSVC.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameulib.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamei8042prt.sys.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemycomput.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameparport.sys.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedsound.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamefwcfg.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameqwave.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameumrdp.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewinsrv.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWinInit.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameservices.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamelsasrv.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesvchost.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewship6.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshqos.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametzres.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesppsvc.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameInput.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameTipTsf.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSpTip.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameTableTextService.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamegpsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameaero.msstyles.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametaskcomp.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamespoolsv.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameBFE.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametaskhost.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamej% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesnmptrap.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamelmhsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedwm.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedhcpcore.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesstpsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamelocalspl.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametaskeng.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWsdMon.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenetprofm.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameesrb.dll.muiH vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamestobject.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamerasdlg.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAltTab.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewscui.cpl.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametquery.dll.mui@ vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameesent.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMsMpRes.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametwext.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamempr.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameschedsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameFDResPub.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameFunDisc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamerpcrt4.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameFDPrint.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameimageres.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSHTML.DLL.MUID vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametaskmgr.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewin32spl.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameinetpp.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameadvapi32.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameprovsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamep2pcollab.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameQAgentRT.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameDhcpQEC.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlasvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenapinsp.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepnrpnsp.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameFVEUI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamews2_32.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameiphlpapi.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWebServices.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedhcpcsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepcwum.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamefwpuclnt.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuserenv.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametsgqec.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCertEnrollj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewebio.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameperftrack.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCDOSYS.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedwmapi.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCertClij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamecimwin32.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamegptext.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsobjs.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepnrpsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameazrolesj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedrt.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameNDIS.SYS.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamePeerDistSvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWsmRes.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000000.2069282120.0000000000C42000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2075802327.0000000000464000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameehres.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWMPSideShowGadgetj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameonex.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamethumbcache.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamelocalsec.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUI0Detect.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWLANGPUI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSV1_0.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamehotplug.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSTI.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemmcss.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewuaueng.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameOLE32.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamew32time.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameslui.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameUSERCPL.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenametaskschd.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWMDM.dll.muiZ vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebthci.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSHTMLER.DLL.MUID vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenapdsnap.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameREGSVC.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesbdropj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamebrserid.sys.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamecomdlg32.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameSXS.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamedps.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWMPNSCFG.EXE.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamesdclt.exe.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWEBCHECK.DLL.MUID vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameAuxiliaryDisplayCpl.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMBLCTR.EXE.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameEFSADU.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameWPDMTPDR.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameNetworkItemFactory.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameaudiodev.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameaelupsvc.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamejscript.dll.muiH vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamegpedit.dll.muij% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMSOERES.DLL.MUIj% vs Sample_B.exe
Source: Sample_B.exe, 00000000.00000002.2077020537.0000000004710000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Sample_B.exe
Source: Sample_B.exe Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Sample_B.exe
Source: Sample_B.exe Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Sample_B.exe
Source: Sample_B.exe Binary or memory string: OriginalFilenamemailpv.exe< vs Sample_B.exe
Source: Sample_B.exe Binary or memory string: OriginalFilenamePhulli.exe0 vs Sample_B.exe
Uses 32bit PE files
Source: Sample_B.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: Sample_B.exe, type: SAMPLE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Sample_B.exe, type: SAMPLE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: Sample_B.exe, type: SAMPLE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2113607102.00000000046F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2113562918.00000000046E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Sample_B.exe.2577280.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Windows Update.exe.46e0000.9.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Windows Update.exe.46f0000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.23bfc84.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: Sample_B.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Sample_B.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Sample_B.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Sample_B.exe, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: Windows Update.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: Windows Update.exe.0.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: Sample_B.exe, Form1.cs Base64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: Windows Update.exe.0.dr, Form1.cs Base64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs Base64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs Base64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: WindowsUpdate.exe.2.dr, Form1.cs Base64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs Base64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs Base64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: WindowsUpdate.exe.2.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Windows Update.exe.0.dr, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Sample_B.exe, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/15@6/2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00644FBA AdjustTokenPrivileges, 2_2_00644FBA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00644F83 AdjustTokenPrivileges, 2_2_00644F83
Source: C:\Users\user\Desktop\Sample_B.exe File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\Sample_B.exe File created: C:\Users\user\AppData\Local\Temp\SysInfo.txt Jump to behavior
Source: Sample_B.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Sample_B.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\Desktop\Sample_B.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Sample_B.exe, Windows Update.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Sample_B.exe, Windows Update.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Windows Update.exe, 00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Sample_B.exe, Windows Update.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Sample_B.exe, Windows Update.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Sample_B.exe, Windows Update.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Sample_B.exe, Windows Update.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Sample_B.exe String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: C:\Users\user\Desktop\Sample_B.exe File read: C:\Users\user\Desktop\Sample_B.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Sample_B.exe 'C:\Users\user\Desktop\Sample_B.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\Desktop\Sample_B.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Automated click: OK
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Sample_B.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: Sample_B.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\Sample_B.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll Jump to behavior
Source: Sample_B.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: pC:\Win.pdbassembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: F^symbols\dll\mscorlib.pdb^ source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: .pdb; source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: ^indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbs\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb8 source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Sample_B.exe
Source: Binary string: dows\mC:\Users\user\AppData\Roaming__b77a5c561934e089\mscorlib.pdbne_d08cc06a442b34fc source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Sample_B.exe
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Sample_B.exe
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbFP source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: ^T3/pC:\Windows\mscorlib.pdb4 source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2111699782.0000000000E70000.00000002.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Sample_B.exe, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Sample_B.exe, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Sample_B.exe, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Sample_B.exe, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.0.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.0.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.0.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: Windows Update.exe.0.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.2.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.2.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.2.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: WindowsUpdate.exe.2.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C30712 push eax; ret 0_2_00C30726
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C30712 push eax; ret 0_2_00C3074E
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C0B87E push ecx; ret 0_2_00C0B88E
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C0BA9D push eax; ret 0_2_00C0BAB1
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_00C0BA9D push eax; ret 0_2_00C0BAD9
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F50712 push eax; ret 2_2_00F50726
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F50712 push eax; ret 2_2_00F5074E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F2B87E push ecx; ret 2_2_00F2B88E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F2BA9D push eax; ret 2_2_00F2BAB1
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00F2BA9D push eax; ret 2_2_00F2BAD9
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_001A7ED2 push eax; ret 2_2_001A7ED5
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_001A76C5 push esp; retf 2_2_001A76C6

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\Sample_B.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
Contains functionality to query network adapater information
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetAdaptersInfo, 2_2_00642E9A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetAdaptersInfo, 2_2_00642E72
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Sample_B.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 180000 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Sample_B.exe TID: 284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe TID: 2028 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2504 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2312 Thread sleep time: -1020000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2908 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2888 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2920 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2912 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2912 Thread sleep time: -1400000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2460 Thread sleep time: -180000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: Sample_B.exe, 00000000.00000002.2075920870.00000000004FB000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: Sample_B.exe, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Sample_B.exe, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: Windows Update.exe.0.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: Windows Update.exe.0.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.0.Sample_B.exe.bc0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.Sample_B.exe.bc0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: WindowsUpdate.exe.2.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: WindowsUpdate.exe.2.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.Windows Update.exe.ee0000.1.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.0.Windows Update.exe.ee0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Sample_B.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\Sample_B.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: Sample_B.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: Sample_B.exe, type: SAMPLE
Source: Yara match File source: 00000002.00000002.2112485117.0000000003371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: 0.2.Sample_B.exe.c1fa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.c1fa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.f3fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.f3fa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.3377e00.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.3377e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Windows Update.exe.54aec22.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Sample_B.exe, type: SAMPLE
Source: Yara match File source: 00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: 0.0.Sample_B.exe.bc9c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.36114d0.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.36114d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc9c0d.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee9c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee9c0d.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: Sample_B.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Sample_B.exe String found in binary or memory: HawkEyeKeylogger
Source: Sample_B.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Sample_B.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Windows Update.exe String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Source: Sample_B.exe String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Sample_B.exe String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Sample_B.exe String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Sample_B.exe String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Yara detected HawkEye Keylogger
Source: Yara match File source: Sample_B.exe, type: SAMPLE
Source: Yara match File source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
Source: Yara match File source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match File source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_005D0DBA bind, 0_2_005D0DBA
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_005D09AA listen, 0_2_005D09AA
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_005D096C listen, 0_2_005D096C
Source: C:\Users\user\Desktop\Sample_B.exe Code function: 0_2_005D0D87 bind, 0_2_005D0D87
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_006409AA listen, 2_2_006409AA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00640DBA bind, 2_2_00640DBA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0064096C listen, 2_2_0064096C
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00640D87 bind, 2_2_00640D87
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 354163 Sample: Sample_B.exe Startdate: 17/02/2021 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for dropped file 2->39 41 12 other signatures 2->41 7 Sample_B.exe 1 11 2->7         started        process3 file4 21 C:\Users\user\AppData\...\Windows Update.exe, PE32 7->21 dropped 23 C:\...\Windows Update.exe:Zone.Identifier, ASCII 7->23 dropped 10 Windows Update.exe 13 8 7->10         started        process5 dnsIp6 29 163.190.5.0.in-addr.arpa 10->29 31 smtp.gmail.com 66.102.1.108, 49168, 587 GOOGLEUS United States 10->31 33 whatismyipaddress.com 104.16.155.36, 49167, 80 CLOUDFLARENETUS United States 10->33 25 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 10->25 dropped 27 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 10->27 dropped 43 Changes the view of files in windows explorer (hidden files and folders) 10->43 45 Writes to foreign memory regions 10->45 47 Allocates memory in foreign processes 10->47 49 3 other signatures 10->49 15 dw20.exe 8 10->15         started        17 vbc.exe 10->17         started        19 vbc.exe 10->19         started        file7 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.155.36
unknown United States
13335 CLOUDFLARENETUS false
66.102.1.108
unknown United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
cdn.digicertcdn.com 104.18.10.39 true
smtp.gmail.com 66.102.1.108 true
163.190.5.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    high