Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Sample_B.exe

Overview

General Information

Sample Name:Sample_B.exe
Analysis ID:354163
MD5:78300bd48d50fa7e5f3f6a933cc5f739
SHA1:03157f27b0d5141465adeeaf9b3a7b5f3e60f614
SHA256:424212e76c0e660538ee49126079980b34f4dd343e002004f67ea71a937af5e3

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • Sample_B.exe (PID: 2368 cmdline: 'C:\Users\user\Desktop\Sample_B.exe' MD5: 78300BD48D50FA7E5F3F6A933CC5F739)
    • Windows Update.exe (PID: 2360 cmdline: 'C:\Users\user\AppData\Roaming\Windows Update.exe' MD5: 78300BD48D50FA7E5F3F6A933CC5F739)
      • dw20.exe (PID: 2932 cmdline: dw20.exe -x -s 1708 MD5: FBA78261A16C65FA44145613E3669E6E)
      • vbc.exe (PID: 2852 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
      • vbc.exe (PID: 2816 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' MD5: 1672D0478049ABDAF0197BE64A7F867F)
  • cleanup

Malware Configuration

Threatname: HawkEye

{"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Sample_B.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
  • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
Sample_B.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
  • 0x7ba1d:$key: HawkEyeKeylogger
  • 0x7dd13:$salt: 099u787978786
  • 0x7c09a:$string1: HawkEye_Keylogger
  • 0x7ceed:$string1: HawkEye_Keylogger
  • 0x7dc73:$string1: HawkEye_Keylogger
  • 0x7c483:$string2: holdermail.txt
  • 0x7c4a3:$string2: holdermail.txt
  • 0x7c3c5:$string3: wallet.dat
  • 0x7c3dd:$string3: wallet.dat
  • 0x7c3f3:$string3: wallet.dat
  • 0x7d837:$string4: Keylog Records
  • 0x7db4f:$string4: Keylog Records
  • 0x7dd6b:$string5: do not script -->
  • 0x7ba05:$string6: \pidloc.txt
  • 0x7ba93:$string7: BSPLIT
  • 0x7baa3:$string7: BSPLIT
Sample_B.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    Sample_B.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
      Sample_B.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
        • 0x7423:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
        • 0x7ba1d:$key: HawkEyeKeylogger
        • 0x7dd13:$salt: 099u787978786
        • 0x7c09a:$string1: HawkEye_Keylogger
        • 0x7ceed:$string1: HawkEye_Keylogger
        • 0x7dc73:$string1: HawkEye_Keylogger
        • 0x7c483:$string2: holdermail.txt
        • 0x7c4a3:$string2: holdermail.txt
        • 0x7c3c5:$string3: wallet.dat
        • 0x7c3dd:$string3: wallet.dat
        • 0x7c3f3:$string3: wallet.dat
        • 0x7d837:$string4: Keylog Records
        • 0x7db4f:$string4: Keylog Records
        • 0x7dd6b:$string5: do not script -->
        • 0x7ba05:$string6: \pidloc.txt
        • 0x7ba93:$string7: BSPLIT
        • 0x7baa3:$string7: BSPLIT
        C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
          C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
            C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              Click to see the 7 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                00000002.00000002.2112485117.0000000003371000.00000004.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpRAT_HawkEyeDetects HawkEye RATKevin Breen <kevin@techanarchy.net>
                  • 0x7b81d:$key: HawkEyeKeylogger
                  • 0x7db13:$salt: 099u787978786
                  • 0x7be9a:$string1: HawkEye_Keylogger
                  • 0x7cced:$string1: HawkEye_Keylogger
                  • 0x7da73:$string1: HawkEye_Keylogger
                  • 0x7c283:$string2: holdermail.txt
                  • 0x7c2a3:$string2: holdermail.txt
                  • 0x7c1c5:$string3: wallet.dat
                  • 0x7c1dd:$string3: wallet.dat
                  • 0x7c1f3:$string3: wallet.dat
                  • 0x7d637:$string4: Keylog Records
                  • 0x7d94f:$string4: Keylog Records
                  • 0x7db6b:$string5: do not script -->
                  • 0x7b805:$string6: \pidloc.txt
                  • 0x7b893:$string7: BSPLIT
                  • 0x7b8a3:$string7: BSPLIT
                  00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                    00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpJoeSecurity_HawkEyeYara detected HawkEye KeyloggerJoe Security
                      Click to see the 34 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.Sample_B.exe.bc9c0d.1.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                        0.2.Sample_B.exe.2577280.5.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        2.2.Windows Update.exe.46e0000.9.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        2.2.Windows Update.exe.46f0000.10.raw.unpackHKTL_NET_GUID_StealerDetects c# red/black-team tools via typelibguidArnim Rupp
                        • 0x101b:$typelibguid0: 8fcd4931-91a2-4e18-849b-70de34ab75df
                        0.2.Sample_B.exe.c1fa72.2.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                          Click to see the 104 entries

                          Sigma Overview

                          No Sigma rule has matched

                          Signature Overview

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection:

                          barindex
                          Antivirus / Scanner detection for submitted sampleShow sources
                          Source: Sample_B.exeAvira: detected
                          Source: Sample_B.exeAvira: detected
                          Antivirus detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: TR/AD.MExecute.lzrac
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeAvira: detection malicious, Label: SPR/Tool.MailPassView.473
                          Found malware configurationShow sources
                          Source: Windows Update.exe.2360.2.memstrMalware Configuration Extractor: HawkEye {"Modules": ["mailpv", "WebBrowserPassView", "Mail PassView"], "Version": ""}
                          Machine Learning detection for dropped fileShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJoe Sandbox ML: detected
                          Machine Learning detection for sampleShow sources
                          Source: Sample_B.exeJoe Sandbox ML: detected
                          Source: 0.0.Sample_B.exe.bc0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 0.0.Sample_B.exe.bc0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 2.2.Windows Update.exe.ee0000.1.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 2.2.Windows Update.exe.ee0000.1.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 0.2.Sample_B.exe.bc0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 0.2.Sample_B.exe.bc0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473
                          Source: 2.0.Windows Update.exe.ee0000.0.unpackAvira: Label: TR/AD.MExecute.lzrac
                          Source: 2.0.Windows Update.exe.ee0000.0.unpackAvira: Label: SPR/Tool.MailPassView.473

                          Compliance:

                          barindex
                          Uses 32bit PE filesShow sources
                          Source: Sample_B.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Uses new MSVCR DllsShow sources
                          Source: C:\Users\user\Desktop\Sample_B.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
                          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                          Source: Sample_B.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Binary contains paths to debug symbolsShow sources
                          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: pC:\Win.pdbassembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: F^symbols\dll\mscorlib.pdb^ source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: .pdb; source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdbs\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Windows\mscorlib.pdb8 source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Sample_B.exe
                          Source: Binary string: dows\mC:\Users\user\AppData\Roaming__b77a5c561934e089\mscorlib.pdbne_d08cc06a442b34fc source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmp
                          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Sample_B.exe
                          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Sample_B.exe
                          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbFP source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^T3/pC:\Windows\mscorlib.pdb4 source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorrc.pdb source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2111699782.0000000000E70000.00000002.00000001.sdmp
                          Source: Sample_B.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: [autorun]
                          Source: Windows Update.exeBinary or memory string: [autorun]
                          Source: Windows Update.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: autorun.inf
                          Source: Sample_B.exeBinary or memory string: [autorun]
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 4x nop then jmp 00551A73h
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then mov esp, ebp
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then call 004E1B20h
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 004E1A73h
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 4x nop then jmp 004E1A73h

                          Networking:

                          barindex
                          May check the online IP address of the machineShow sources
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: unknownDNS query: name: whatismyipaddress.com
                          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 66.102.1.108:587
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 104.16.155.36 104.16.155.36
                          Source: Joe Sandbox ViewIP Address: 66.102.1.108 66.102.1.108
                          Source: global trafficTCP traffic: 192.168.2.22:49168 -> 66.102.1.108:587
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0011A09A recv,
                          Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
                          Source: Sample_B.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                          Source: Sample_B.exeString found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                          Source: Sample_B.exe, 00000000.00000002.2075873795.00000000004C2000.00000004.00000020.sdmpString found in binary or memory: WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                          Source: Sample_B.exe, 00000000.00000002.2075873795.00000000004C2000.00000004.00000020.sdmpString found in binary or memory: WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                          Source: unknownDNS traffic detected: queries for: 163.190.5.0.in-addr.arpa
                          Source: 3C428B1A3E5F57D887EC4B864FAC5DCC.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
                          Source: Sample_B.exeString found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                          Source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                          Source: 77EC63BDA74BD0D0E0426DC8F8008506.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                          Source: Sample_B.exeString found in binary or memory: http://ocsp.comodoca.com0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: http://whatismyipaddress.com/
                          Source: Sample_B.exeString found in binary or memory: http://whatismyipaddress.com/-
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                          Source: Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                          Source: Sample_B.exeString found in binary or memory: http://www.nirsoft.net/
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://www.site.com/logs.php
                          Source: Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: https://login.yahoo.com/config/login
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
                          Source: Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                          Source: Sample_B.exe, Windows Update.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                          Key, Mouse, Clipboard, Microphone and Screen Capturing:

                          barindex
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
                          Contains functionality to log keystrokes (.Net Source)Show sources
                          Source: Sample_B.exe, Form1.cs.Net Code: HookKeyboard
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: HookKeyboard
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: HookKeyboard
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: HookKeyboard
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: HookKeyboard
                          Installs a global keyboard hookShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWindow created: window name: CLIPBRDWNDCLASS

                          System Summary:

                          barindex
                          Malicious sample detected (through community Yara rule)Show sources
                          Source: Sample_B.exe, type: SAMPLEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: Sample_B.exe, type: SAMPLEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
                          Source: C:\Users\user\Desktop\Sample_B.exeMemory allocated: 76E20000 page execute and read and write
                          Source: C:\Users\user\Desktop\Sample_B.exeMemory allocated: 76D20000 page execute and read and write
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: 76E20000 page execute and read and write
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: 76D20000 page execute and read and write
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76E20000 page execute and read and write
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76D20000 page execute and read and write
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76E20000 page execute and read and write
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeMemory allocated: 76D20000 page execute and read and write
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00646A6A NtResumeThread,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00645172 NtQuerySystemInformation,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00646B12 NtWriteVirtualMemory,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00646AE5 NtWriteVirtualMemory,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00645145 NtQuerySystemInformation,
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCD426
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BDD5AE
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCD523
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCD6C4
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BD7646
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C06AF4
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C2ABFC
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C23CBE
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C23C4D
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C23DC0
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCED03
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C23D2F
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BDAFA6
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BCCF92
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00551DB8
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00BFC7BC
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F103C0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EED426
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EFD5AE
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EED523
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EED6C4
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EF7646
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F229BE
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F26AF4
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F4ABFC
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F43CBE
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F43C4D
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F43DC0
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F43D2F
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EEED03
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EFAFA6
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00EECF92
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_001A638C
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E6068
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E7200
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E8A90
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E5778
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_004E8DE8
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F1C7BC
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: String function: 00C0BA9D appears 36 times
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: String function: 00F2BA9D appears 36 times
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708
                          Source: Sample_B.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Sample_B.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Sample_B.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Windows Update.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: WindowsUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: WindowsUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: WindowsUpdate.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                          Source: Sample_B.exeBinary or memory string: OriginalFilename vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFileName vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpBinary or memory string: OriginalFilenamemailpv.exe< vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewersvcj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbengine.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepuiapi.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWfsR.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmplayer.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsfltr32.acm.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaudiosrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebatt.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMDMINST.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWCNCSVC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePOWRPROF.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAUTOPLAY.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedmdskres.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpscript.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesdcpl.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesrchadmin.dll.mui@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPDSp.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameVfWWDM32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUsbui.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameERCj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecscsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameehRecvr.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamessdpsrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetcfgx.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsfeedsbs.dll.muiD vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameunregmp2.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWUDFSvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPCCPL.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTrustedInstaller.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUxTheme.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetprof.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebattc.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewevtsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameappmgmts.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesti_ci.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamefaultrep.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewdc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameqwavedrv.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewucltux.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameunpnhost.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameappinfo.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemidimap.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcndmgr.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAccessibilityCpl.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSRATING.DLL.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameoleres.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmploc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameACCTRES.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLEACCRC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIPBusEnum.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamerstrui.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameieinstal.exe.muiD vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewmisvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSRVSVC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedeskadp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePowerCPL.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsadp32.acm.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSRV.SYS.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameiccvid.drv.muiN vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpapi.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebluetooth.cpl.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewpd_ci.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameINETRES.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSWPRV.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePhotoScreensaver.scr.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameATL.DLL.MUIR vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcbase.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelhdfrgui.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePDH.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPNSSCI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamescsiport.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVIFIL32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmci.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametermsrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameBubblesj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIE4UINIT.EXE.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameiedkcs32.dll.muiD vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWinMail.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewevtutil.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTBSSVC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameulib.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamei8042prt.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemycomput.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameparport.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedsound.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamefwcfg.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameqwave.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameumrdp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewinsrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWinInit.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameservices.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelsasrv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesvchost.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewship6.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshqos.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametzres.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesppsvc.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameInput.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTipTsf.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSpTip.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameTableTextService.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaero.msstyles.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskcomp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamespoolsv.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameBFE.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskhost.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamej% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesnmptrap.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelmhsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedwm.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedhcpcore.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesstpsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelocalspl.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskeng.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWsdMon.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamevsstrace.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetprofm.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameesrb.dll.muiH vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamestobject.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamerasdlg.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAltTab.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewscui.cpl.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametquery.dll.mui@ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameesent.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMsMpRes.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametwext.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamempr.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameschedsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFDResPub.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFunDisc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamerpcrt4.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFDPrint.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameimageres.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSHTML.DLL.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskmgr.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewin32spl.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameinetpp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameadvapi32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameprovsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamep2pcollab.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameQAgentRT.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameDhcpQEC.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlasvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenapinsp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepnrpnsp.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameFVEUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamews2_32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameiphlpapi.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWebServices.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedhcpcsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepcwum.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamefwpuclnt.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuserenv.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametsgqec.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCertEnrollj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewebio.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameperftrack.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCDOSYS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedwmapi.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCertClij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecimwin32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegptext.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsobjs.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepnrpsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameazrolesj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedrt.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameNDIS.SYS.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamePeerDistSvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWsmRes.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000000.2069282120.0000000000C42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePhulli.exe0 vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2075802327.0000000000464000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameehres.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPSideShowGadgetj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameonex.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamethumbcache.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamelocalsec.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUI0Detect.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWLANGPUI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSV1_0.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamehotplug.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSTI.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemmcss.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewuaueng.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLE32.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamew32time.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameslui.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameUSERCPL.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenametaskschd.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMDM.dll.muiZ vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebthci.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSHTMLER.DLL.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenapdsnap.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameREGSVC.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesbdropj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamebrserid.sys.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamecomdlg32.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSXS.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamedps.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWMPNSCFG.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamesdclt.exe.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWEBCHECK.DLL.MUID vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAuxiliaryDisplayCpl.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMBLCTR.EXE.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameEFSADU.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameWPDMTPDR.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameNetworkItemFactory.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSCTF.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaudiodev.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameaelupsvc.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamejscript.dll.muiH vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamegpedit.dll.muij% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameMSOERES.DLL.MUIj% vs Sample_B.exe
                          Source: Sample_B.exe, 00000000.00000002.2077020537.0000000004710000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFilenamemailpv.exe< vs Sample_B.exe
                          Source: Sample_B.exeBinary or memory string: OriginalFilenamePhulli.exe0 vs Sample_B.exe
                          Source: Sample_B.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                          Source: Sample_B.exe, type: SAMPLEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: Sample_B.exe, type: SAMPLEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: Sample_B.exe, type: SAMPLEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000002.2113607102.00000000046F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000002.2113562918.00000000046E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORYMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORYMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPEDMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.2.Sample_B.exe.2577280.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.46e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.46f0000.10.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: 2.2.Windows Update.exe.23bfc84.6.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
                          Source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPEMatched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
                          Source: Sample_B.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Sample_B.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Sample_B.exe, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Sample_B.exe, Form1.csCryptographic APIs: 'CreateDecryptor'
                          Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                          Source: Windows Update.exe.0.dr, Form1.csCryptographic APIs: 'CreateDecryptor'
                          Source: Sample_B.exe, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: Windows Update.exe.0.dr, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: WindowsUpdate.exe.2.dr, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.csBase64 encoded string: 'YlAuOB61JP7Xi5h8K5L2IGA3jMtN/jZDgXP5GUj1CQYs9MF2eXs+5iQpyz2Lq/2U', 'YHJmuJ6TTu5y2oLCttlBqrST5C8glLTFVKWb1Tx6kDjgbFUpHqEg8vimBaE9zP3ZbgA78xiY46Mx/vlEgZkTkg==', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: WindowsUpdate.exe.2.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: Windows Update.exe.0.dr, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: Sample_B.exe, Form1.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                          Source: Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/15@6/2
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00644FBA AdjustTokenPrivileges,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00644F83 AdjustTokenPrivileges,
                          Source: C:\Users\user\Desktop\Sample_B.exeFile created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DATJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                          Source: C:\Users\user\Desktop\Sample_B.exeFile created: C:\Users\user\AppData\Local\Temp\SysInfo.txtJump to behavior
                          Source: Sample_B.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\Sample_B.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
                          Source: C:\Users\user\Desktop\Sample_B.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                          Source: C:\Users\user\Desktop\Sample_B.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                          Source: C:\Users\user\Desktop\Sample_B.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\Sample_B.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Windows Update.exe, 00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                          Source: Sample_B.exe, Windows Update.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                          Source: Sample_B.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
                          Source: C:\Users\user\Desktop\Sample_B.exeFile read: C:\Users\user\Desktop\Sample_B.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\Sample_B.exe 'C:\Users\user\Desktop\Sample_B.exe'
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                          Source: C:\Users\user\Desktop\Sample_B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAutomated click: OK
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeAutomated click: OK
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\Sample_B.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                          Source: Sample_B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: C:\Users\user\Desktop\Sample_B.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
                          Source: Sample_B.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                          Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: pC:\Win.pdbassembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: F^symbols\dll\mscorlib.pdb^ source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: .pdb; source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorlib.pdbs\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Windows\mscorlib.pdb8 source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Sample_B.exe
                          Source: Binary string: dows\mC:\Users\user\AppData\Roaming__b77a5c561934e089\mscorlib.pdbne_d08cc06a442b34fc source: Windows Update.exe, 00000002.00000002.2110645505.00000000003A0000.00000004.00000020.sdmp
                          Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Sample_B.exe
                          Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Sample_B.exe
                          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbFP source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: ^T3/pC:\Windows\mscorlib.pdb4 source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000002.00000002.2123111856.000000000970A000.00000004.00000010.sdmp
                          Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000002.00000002.2110851698.00000000005EC000.00000004.00000040.sdmp
                          Source: Binary string: mscorrc.pdb source: Sample_B.exe, 00000000.00000002.2076293431.0000000002050000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2111699782.0000000000E70000.00000002.00000001.sdmp

                          Data Obfuscation:

                          barindex
                          .NET source code contains potential unpackerShow sources
                          Source: Sample_B.exe, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Sample_B.exe, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Sample_B.exe, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Sample_B.exe, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: Windows Update.exe.0.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: WindowsUpdate.exe.2.dr, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.cs.Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C30712 push eax; ret
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C30712 push eax; ret
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C0B87E push ecx; ret
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C0BA9D push eax; ret
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_00C0BA9D push eax; ret
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F50712 push eax; ret
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F50712 push eax; ret
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F2B87E push ecx; ret
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F2BA9D push eax; ret
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00F2BA9D push eax; ret
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_001A7ED2 push eax; ret
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_001A76C5 push esp; retf
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeFile created: C:\Users\user\AppData\Roaming\WindowsUpdate.exeJump to dropped file
                          Source: C:\Users\user\Desktop\Sample_B.exeFile created: C:\Users\user\AppData\Roaming\Windows Update.exeJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows UpdateJump to behavior

                          Hooking and other Techniques for Hiding and Protection:

                          barindex
                          Changes the view of files in windows explorer (hidden files and folders)Show sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HiddenJump to behavior
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOGPFAULTERRORBOX
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion:

                          barindex
                          Yara detected AntiVM_3Show sources
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetAdaptersInfo,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: GetAdaptersInfo,
                          Source: C:\Users\user\Desktop\Sample_B.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\Sample_B.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeThread delayed: delay time: 180000
                          Source: C:\Users\user\Desktop\Sample_B.exe TID: 284Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\Desktop\Sample_B.exe TID: 2028Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2504Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2312Thread sleep time: -1020000s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2908Thread sleep time: -120000s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2888Thread sleep time: -140000s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2920Thread sleep time: -60000s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2912Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2912Thread sleep time: -1400000s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2460Thread sleep time: -180000s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                          Source: Sample_B.exe, 00000000.00000002.2075920870.00000000004FB000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess information queried: ProcessInformation
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess queried: DebugPort
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
                          Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeProcess queried: DebugPort
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\Sample_B.exeMemory allocated: page read and write | page guard

                          HIPS / PFW / Operating System Protection Evasion:

                          barindex
                          .NET source code references suspicious native API functionsShow sources
                          Source: Sample_B.exe, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: Sample_B.exe, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: Windows Update.exe.0.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: Windows Update.exe.0.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 0.0.Sample_B.exe.bc0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 0.2.Sample_B.exe.bc0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: WindowsUpdate.exe.2.dr, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: WindowsUpdate.exe.2.dr, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 2.2.Windows Update.exe.ee0000.1.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, Form1.csReference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
                          Source: 2.0.Windows Update.exe.ee0000.0.unpack, RunPE.csReference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
                          Allocates memory in foreign processesShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
                          Injects a PE file into a foreign processesShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
                          Sample uses process hollowing techniqueShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeSection unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
                          Writes to foreign memory regionsShow sources
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
                          Source: C:\Users\user\Desktop\Sample_B.exeProcess created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 1708
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                          Source: C:\Users\user\Desktop\Sample_B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information:

                          barindex
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
                          Yara detected MailPassViewShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000002.00000002.2112485117.0000000003371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.3377e00.7.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.3377e00.7.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Yara detected WebBrowserPassView password recovery toolShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.36114d0.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.36114d0.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE

                          Remote Access Functionality:

                          barindex
                          Detected HawkEye RatShow sources
                          Source: Sample_B.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                          Source: Sample_B.exeString found in binary or memory: HawkEyeKeylogger
                          Source: Sample_B.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                          Source: Sample_B.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: Sample_B.exe, 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Stealer_Records_
                          Source: Windows Update.exeString found in binary or memory: HawkEyeKeylogger
                          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Keylog_Records_
                          Source: Windows Update.exeString found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
                          Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmpString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmpString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmpString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: Windows Update.exe, 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmpString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
                          Source: Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpString found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
                          Source: Sample_B.exeString found in binary or memory: \pidloc.txt!HawkEyeKeylogger
                          Source: Sample_B.exeString found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
                          Source: Sample_B.exeString found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
                          Source: Sample_B.exeString found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
                          Yara detected HawkEye KeyloggerShow sources
                          Source: Yara matchFile source: Sample_B.exe, type: SAMPLE
                          Source: Yara matchFile source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Windows Update.exe PID: 2360, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: Sample_B.exe PID: 2368, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee0000.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.f3fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee9c0d.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc9c0d.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.3.Windows Update.exe.54aec22.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.bc9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.c1fa72.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee8208.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.f3fa72.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.ee8208.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.Sample_B.exe.bc8208.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.0.Windows Update.exe.ee9c0d.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 2.2.Windows Update.exe.2392140.5.raw.unpack, type: UNPACKEDPE
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_005D0DBA bind,
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_005D09AA listen,
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_005D096C listen,
                          Source: C:\Users\user\Desktop\Sample_B.exeCode function: 0_2_005D0D87 bind,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_006409AA listen,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00640DBA bind,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_0064096C listen,
                          Source: C:\Users\user\AppData\Roaming\Windows Update.exeCode function: 2_2_00640D87 bind,

                          Mitre Att&ck Matrix

                          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                          Replication Through Removable Media1Windows Management Instrumentation21Registry Run Keys / Startup Folder1Access Token Manipulation1Disable or Modify Tools1Input Capture21Peripheral Device Discovery1Replication Through Removable Media1Archive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                          Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection411Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolInput Capture21Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                          Domain AccountsShared Modules1Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information31Security Account ManagerSystem Information Discovery3SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                          Local AccountsCommand and Scripting Interpreter2Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferRemote Access Software1SIM Card SwapCarrier Billing Fraud
                          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery31SSHKeyloggingData Transfer Size LimitsNon-Application Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                          Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion4Cached Domain CredentialsVirtualization/Sandbox Evasion4VNCGUI Input CaptureExfiltration Over C2 ChannelApplication Layer Protocol12Jamming or Denial of ServiceAbuse Accessibility Features
                          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncProcess Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection411Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Configuration Discovery11Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          Sample_B.exe100%AviraTR/AD.MExecute.lzrac
                          Sample_B.exe100%AviraSPR/Tool.MailPassView.473
                          Sample_B.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraTR/AD.MExecute.lzrac
                          C:\Users\user\AppData\Roaming\Windows Update.exe100%AviraSPR/Tool.MailPassView.473
                          C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraTR/AD.MExecute.lzrac
                          C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%AviraSPR/Tool.MailPassView.473
                          C:\Users\user\AppData\Roaming\Windows Update.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\WindowsUpdate.exe100%Joe Sandbox ML

                          Unpacked PE Files

                          SourceDetectionScannerLabelLinkDownload
                          0.0.Sample_B.exe.bc0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          0.0.Sample_B.exe.bc0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          2.2.Windows Update.exe.ee0000.1.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          2.2.Windows Update.exe.ee0000.1.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          0.2.Sample_B.exe.bc0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          0.2.Sample_B.exe.bc0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File
                          2.0.Windows Update.exe.ee0000.0.unpack100%AviraTR/AD.MExecute.lzracDownload File
                          2.0.Windows Update.exe.ee0000.0.unpack100%AviraSPR/Tool.MailPassView.473Download File

                          Domains

                          SourceDetectionScannerLabelLink
                          cdn.digicertcdn.com0%VirustotalBrowse
                          163.190.5.0.in-addr.arpa0%VirustotalBrowse

                          URLs

                          SourceDetectionScannerLabelLink
                          http://ocsp.entrust.net030%URL Reputationsafe
                          http://ocsp.entrust.net030%URL Reputationsafe
                          http://ocsp.entrust.net030%URL Reputationsafe
                          http://ocsp.entrust.net030%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                          http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
                          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                          http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                          http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                          http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                          http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                          http://ocsp.pki.goog/gsr2020%URL Reputationsafe
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                          https://pki.goog/repository/00%URL Reputationsafe
                          https://pki.goog/repository/00%URL Reputationsafe
                          https://pki.goog/repository/00%URL Reputationsafe
                          https://pki.goog/repository/00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                          http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                          http://www.icra.org/vocabulary/.0%URL Reputationsafe
                          http://www.icra.org/vocabulary/.0%URL Reputationsafe
                          http://www.icra.org/vocabulary/.0%URL Reputationsafe
                          http://www.icra.org/vocabulary/.0%URL Reputationsafe
                          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                          http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
                          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                          http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
                          http://www.%s.comPA0%URL Reputationsafe
                          http://www.%s.comPA0%URL Reputationsafe
                          http://www.%s.comPA0%URL Reputationsafe
                          http://www.%s.comPA0%URL Reputationsafe
                          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                          http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
                          http://ocsp.entrust.net0D0%URL Reputationsafe
                          http://ocsp.entrust.net0D0%URL Reputationsafe
                          http://ocsp.entrust.net0D0%URL Reputationsafe
                          http://ocsp.entrust.net0D0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          whatismyipaddress.com
                          		104.16.155.36
                          		truefalse
                            		high
                            cdn.digicertcdn.com
                            		104.18.10.39
                            		truefalseunknown
                            smtp.gmail.com
                            		66.102.1.108
                            		truefalse
                              		high
                              163.190.5.0.in-addr.arpa
                              		unknown
                              		unknowntrueunknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://whatismyipaddress.com/false
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.windows.com/pctv.Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                  		high
                                  http://investor.msn.comSample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.msnbc.com/news/ticker.txtSample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                      		high
                                      http://crl.entrust.net/server1.crl0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        		high
                                        http://ocsp.entrust.net03Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://pki.goog/gsr2/GTS1O1.crt0Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.diginotar.nl/cps/pkioverheid0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://ocsp.pki.goog/gsr202Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://windowsmedia.com/redir/services.asp?WMPFriendly=trueSample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.hotmail.com/oeSample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                          		high
                                          https://pki.goog/repository/0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckSample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpfalse
                                            		high
                                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.icra.org/vocabulary/.Sample_B.exe, 00000000.00000002.2078561268.0000000005C17000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122804139.0000000008F87000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.Sample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpfalse
                                              		high
                                              http://ocsp.pki.goog/gts1o1core0Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://investor.msn.com/Sample_B.exe, 00000000.00000002.2078022149.0000000005A30000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2122590766.0000000008DA0000.00000002.00000001.sdmpfalse
                                                		high
                                                http://crl.pki.goog/GTS1O1core.crl0Windows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://whatismyipaddress.com/-Sample_B.exefalse
                                                  		high
                                                  http://www.%s.comPASample_B.exe, 00000000.00000002.2077174925.00000000049F0000.00000002.00000001.sdmp, Windows Update.exe, 00000002.00000002.2113827446.0000000004A30000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		low
                                                  https://login.yahoo.com/config/loginSample_B.exe, Windows Update.exefalse
                                                    		high
                                                    http://www.site.com/logs.phpWindows Update.exe, 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://crl.pki.goog/gsr2/gsr2.crl0?Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.nirsoft.net/Sample_B.exefalse
                                                        		high
                                                        http://ocsp.entrust.net0DWindows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://secure.comodo.com/CPS0Windows Update.exe, 00000002.00000002.2115217627.000000000548F000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://crl.entrust.net/2048ca.crl0Windows Update.exe, 00000002.00000002.2115241633.00000000054B2000.00000004.00000001.sdmpfalse
                                                            		high

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            104.16.155.36
                                                            		unknownUnited States
                                                            		13335CLOUDFLARENETUSfalse
                                                            66.102.1.108
                                                            		unknownUnited States
                                                            		15169GOOGLEUSfalse

                                                            General Information

                                                            Joe Sandbox Version:31.0.0 Emerald
                                                            Analysis ID:354163
                                                            Start date:17.02.2021
                                                            Start time:14:15:06
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 9m 0s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:Sample_B.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:10
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@9/15@6/2
                                                            EGA Information:
                                                            • Successful, ratio: 66.7%
                                                            HDC Information:
                                                            • Successful, ratio: 11.4% (good quality ratio 8.2%)
                                                            • Quality average: 48.9%
                                                            • Quality standard deviation: 36.4%
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .exe
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
                                                            • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.18.10.39, 2.20.142.210, 2.20.142.209
                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, watson.microsoft.com, blobcollector.events.data.trafficmanager.net, cacerts.digicert.com, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                            • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            14:15:33API Interceptor24x Sleep call for process: Sample_B.exe modified
                                                            14:15:35API Interceptor137x Sleep call for process: Windows Update.exe modified
                                                            14:15:39API Interceptor85x Sleep call for process: dw20.exe modified
                                                            14:15:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                            14:15:51AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            104.16.155.36PO_Invoices_pdf.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            Orders.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            nzGUqSK11D.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            INQUIRY.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            Prueba de pago.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            6JLHKYvboo.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            jSMd8npgmU.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            RXk6PjNTN8.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            9vdouqRTh3.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            5pB35gGfZ5.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            fyxC4Hgs3s.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            yk94P18VKp.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            oLHQIQAI3N.exeGet hashmaliciousBrowse
                                                            • whatismyipaddress.com/
                                                            66.102.1.108INQ4556 PO.exeGet hashmaliciousBrowse
                                                              ngx.exeGet hashmaliciousBrowse
                                                                CBT7797.exeGet hashmaliciousBrowse
                                                                  SCTB 372PO.exeGet hashmaliciousBrowse
                                                                    com.android.secrettalk-1.apkGet hashmaliciousBrowse
                                                                      https://drive.google.com/uc?export=download&id=1QwhJnu-bYB73eWYRaGC_EuhkzqVSA20NGet hashmaliciousBrowse
                                                                        https://drive.google.com/uc?export=download&id=1BZyO3k5sA4YaOJQDXxp2A3tfsIJBJP_-Get hashmaliciousBrowse
                                                                          PAYMENT 25SW Aug-06-2018.docGet hashmaliciousBrowse
                                                                            PAYMENT 25SW Aug-06-2018.docGet hashmaliciousBrowse
                                                                              https://protected-documents.solutions/adobe/absa/token.exeGet hashmaliciousBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                cdn.digicertcdn.comindex_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                p4lqqCq2c2.exeGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                n26UEy3elW.exeGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                eAWqemQInU.exeGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                fLPW6kLMgl.exeGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                a9YPGSem9V.exeGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                SecuriteInfo.com.Exploit.Siggen3.10048.3748.xlsGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                RFQ.xlsGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                SoftickAudioGatewayInstallerGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                StrikeSolitaire3Get hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                InformaAllSecure_Enhanced_Health_Safety_Standards_2021.docmGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                InformaAllSecure_Enhanced_Health_Safety_Standards_2021.docmGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                Farie PO.docGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                Cerere de pret NUM003112 09-02-2021.docGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                usd2.dllGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                PeerReviewResults.xlsGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                Walaa-Qasem-resume2.docGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                MY CV.docGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                                                                                • 104.18.10.39
                                                                                Inv0209966048-20210111075675.xlsGet hashmaliciousBrowse
                                                                                • 104.18.11.39
                                                                                smtp.gmail.comSecuriteInfo.com.BehavesLike.Win32.Generic.jc.exeGet hashmaliciousBrowse
                                                                                • 74.125.206.109
                                                                                SPECIFICATION.exeGet hashmaliciousBrowse
                                                                                • 74.125.206.108
                                                                                Ransomware Tortoise.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                Purchase_26012021_003429.exeGet hashmaliciousBrowse
                                                                                • 173.194.79.109
                                                                                Overdue_invoices.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                SIT-10295.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                QT21006189.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                fusion.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.108
                                                                                Revised Invoice.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.109
                                                                                transcach.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                PCS.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                transcach.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                ORDER-02044.exeGet hashmaliciousBrowse
                                                                                • 66.102.1.109
                                                                                EA0Y2020 Outstanding invoice 20190510to 20201214.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.109
                                                                                vygtHoQaI1KaBVp.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.108
                                                                                QCXw2WXDjOalhVZ.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                yqd2LHZ8y57Bzy4.exeGet hashmaliciousBrowse
                                                                                • 108.177.119.109
                                                                                knitted yarn documents.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                a9bdc406f87d6072599939a86b766fa4.exeGet hashmaliciousBrowse
                                                                                • 172.253.120.109
                                                                                SecuriteInfo.com.Generic.mg.e1df690a980825ac.exeGet hashmaliciousBrowse
                                                                                • 173.194.69.108
                                                                                whatismyipaddress.comPO_Invoices_pdf.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                Orders.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                nzGUqSK11D.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                PO 2010029_pdf Quotation from Alibaba Ale.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                hkaP5RPCGNDVq3Z.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                B6LNCKjOGt5EmFQ.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                NDt93WWQwd089H7.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                JkhR5oeRHA.exeGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                INQUIRY.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                Prueba de pago.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36
                                                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                remittance1111.jarGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                879mgDuqEE.jarGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                remittance1111.jarGet hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                https://my-alliances.co.uk/Get hashmaliciousBrowse
                                                                                • 66.171.248.178
                                                                                c9o0CtTIYT.exeGet hashmaliciousBrowse
                                                                                • 104.16.154.36
                                                                                mR3CdUkyLL.exeGet hashmaliciousBrowse
                                                                                • 104.16.155.36

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                CLOUDFLARENETUSSecuriteInfo.com.Trojan.Inject4.6572.30773.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                f_0008a8.exeGet hashmaliciousBrowse
                                                                                • 104.16.18.94
                                                                                RibermoldOrder 180827.exeGet hashmaliciousBrowse
                                                                                • 172.67.188.154
                                                                                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                f6TW7Ob4aY.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                ew2c3sE5Po.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                TPYY2n7hzn.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                ZXKG6rCJwg.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                YWOro8qqYg.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                cRoVRprbi1.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                45tj9pDUII.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                3I3ECIc9us.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                VifzEYDt4f.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                aMvqQZ69tk.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                BpV9PHuNll.dllGet hashmaliciousBrowse
                                                                                • 104.20.184.68
                                                                                dxjcxlYNoQ.dllGet hashmaliciousBrowse
                                                                                • 104.20.185.68
                                                                                wildix-collaboration-mobile.apkGet hashmaliciousBrowse
                                                                                • 104.22.10.83
                                                                                GOOGLEUSf_0008a8.exeGet hashmaliciousBrowse
                                                                                • 8.8.4.4
                                                                                wildix-collaboration-mobile.apkGet hashmaliciousBrowse
                                                                                • 142.250.180.131
                                                                                mWxzYlRCUi.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                wildix-collaboration-mobile.apkGet hashmaliciousBrowse
                                                                                • 142.250.184.42
                                                                                Credit Card & Booking details.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                DnHeI10lQ6.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                q9xB9DE3RA.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                Cargo_remitP170201.xlsxGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                OEVGVSOGAH.dllGet hashmaliciousBrowse
                                                                                • 216.58.206.65
                                                                                LeaveHomeSafe_1.1.4_#U5b89#U5fc3#U72483.apkGet hashmaliciousBrowse
                                                                                • 142.250.184.42
                                                                                plutonium.exeGet hashmaliciousBrowse
                                                                                • 8.8.8.8
                                                                                Quotation.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                sBt_8xKw.apkGet hashmaliciousBrowse
                                                                                • 216.58.198.42
                                                                                cLMBOaIYSO.exeGet hashmaliciousBrowse
                                                                                • 35.228.43.35
                                                                                51BfqRtUI9.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180
                                                                                X2Q8MaK1Zm.docxGet hashmaliciousBrowse
                                                                                • 216.58.208.131
                                                                                X2Q8MaK1Zm.docxGet hashmaliciousBrowse
                                                                                • 172.253.120.155
                                                                                dAIyRK9gO7.exeGet hashmaliciousBrowse
                                                                                • 8.8.8.8
                                                                                SU9Gm5Pom3.exeGet hashmaliciousBrowse
                                                                                • 34.105.243.4
                                                                                9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                                                • 34.102.136.180

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):914
                                                                                Entropy (8bit):7.367371959019618
                                                                                Encrypted:false
                                                                                SSDEEP:24:c0oGlGm7qGlGd7SK1tcudP5M/C0VQYyL4R3fum:+JnJ17tcudRMq6QsF
                                                                                MD5:E4A68AC854AC5242460AFD72481B2A44
                                                                                SHA1:DF3C24F9BFD666761B268073FE06D1CC8D4F82A4
                                                                                SHA-256:CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F
                                                                                SHA-512:5622207E1BA285F172756F6019AF92AC808ED63286E24DFECC1E79873FB5D140F1CEB7133F2476E89A5F75F711F9813A9FBB8FD5287F64ADFDCC53B864F9BDC5
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: 0...0..v........:......(d.....0...*.H........0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20...130801120000Z..380115120000Z0a1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1 0...U....DigiCert Global Root G20.."0...*.H.............0.........7.4.{k.h..Ju.F.!.....T......:..<z...k.-.^.$D.b.~..~.Tu ..P..c.l0.............7...CN.{,.../..:...%.k.`.`.O!I..g..a......2k..W.].......I.5-..Im.w..IK..U......#.LmE.....0..LU.'JW.|...s...J...P.......!..........g(.s..=Fv...!4M..E..I.....3.).......B0@0...U.......0....0...U...........0...U......N"T ....n..........90...*.H.............`g(.o.Hc.1..g..}<.J...+.._sw*2.9.gB.#.Eg5....a.4.. L....5.v..B..D...6t$Z.l..Y5..I....G*=./.\... ._SF..h...0.>1.....>5.._..pPpGA.W.N......./.%.u...o..Aq..*.O. U...E..D..2...SF.,...".K..E....X..}R..YC....&.o....7}.....w_v.<..]V[..fn.57.2.
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                Category:dropped
                                                                                Size (bytes):59134
                                                                                Entropy (8bit):7.995450161616763
                                                                                Encrypted:true
                                                                                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):252
                                                                                Entropy (8bit):3.0734220895273965
                                                                                Encrypted:false
                                                                                SSDEEP:6:kKbgP4LDKVIbjcalgRAOAUSW0zeEpV1Ew1OXISMlcV/:EQLutWOxSW0zeYrsMlU/
                                                                                MD5:DEFF45D6EE453F2E606204F981D12C2A
                                                                                SHA1:37196590CCAB4D0DA1ECF8A2C7CD5D3B9057DF9E
                                                                                SHA-256:E9D137AC1323596442F223D79DE22A4A34980B7BC84BD51EA5B7EDD07A2994E2
                                                                                SHA-512:4F18E2CAA196C0C6910B28C0F74BCDF1ADC35DB1395CA7F3C7F00925EB9454FF76F729E17916B57F845CD06FC49CD25D24F32E57346972DE36BBC9C455DDD853
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: p...... ....j...5..nz...(....................................................... ............n...u..................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.G.l.o.b.a.l.R.o.o.t.G.2...c.r.t...".5.a.2.8.6.4.1.7.-.3.9.2."...
                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):328
                                                                                Entropy (8bit):3.080958610796429
                                                                                Encrypted:false
                                                                                SSDEEP:6:kKPbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:+3kPlE99SNxAhUeo+aKt
                                                                                MD5:5DE2DFA843897E36DAC2D1F4FCB7F360
                                                                                SHA1:717349376361E7175072835A0051A855DBF32BC8
                                                                                SHA-256:EB01F1C833C14A267597922655659DE490CBF8548F7C46B305C44896A2E8886C
                                                                                SHA-512:F463646650855F0493117ACC769D77DA705C69F7F1880AED8A17689223F5F2839C6340668A9222DCC884C98E64D32EC40C85E356CC62964D3BA77B5DFA6D809D
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: p...... .........|Lnz...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_windows update.e_8def7a6b85a0513a7da3debaf0f7a2c3a14caff_0b1db1a4\Report.wer
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):13186
                                                                                Entropy (8bit):3.716046470811688
                                                                                Encrypted:false
                                                                                SSDEEP:192:oTyzzRiyXg9uclA90TfxtdOZC0fFj6IGbQA3ai63yOt7:lzRi4yTOhGmr
                                                                                MD5:EF7C318F45EBB3503516CC69659E9F7B
                                                                                SHA1:D414EF598B7B337B1132FB28DD4B80C43D479E06
                                                                                SHA-256:A74CC73AED01F82B779695EF91898E57CA039EAEF67747838793658E5FFC3AB4
                                                                                SHA-512:ED4B52B026CDB3276F93C8349CDEF77F5DCC21D1C6D521D4402C5B29398A6DA748B9836BA74FE0D23F6892FE4882E3A6FD424BBEFEE71582822A0BFEC49B44FB
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.0.7.3.7.3.9.2.8.1.8.3.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.0.7.3.7.4.0.8.3.7.0.4.3.0.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.0.7.6.8.f.3.-.7.1.6.d.-.1.1.e.b.-.a.d.c.f.-.e.c.f.4.b.b.b.5.9.1.5.b.....W.O.W.6.4.=.1.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.I.d.=.4.9.8.8.7.0.9.8.9.....R.e.s.p.o.n.s.e...B.u.c.k.e.t.T.a.b.l.e.=.5.1.2.1.7.6.3.3.1.....R.e.s.p.o.n.s.e...t.y.p.e.=.4.....S.i.g.[.0.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.1.....S.i.g.[.0.]...V.a.l.u.e.=.w.i.n.d.o.w.s. .u.p.d.a.t.e...e.x.e.....S.i.g.[.1.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.2.....S.i.g.[.1.]...V.a.l.u.e.=.1...0...0...0.....S.i.g.[.2.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.3.....S.i.g.[.2.]...V.a.l.u.e.=.6.0.1.6.c.1.0.9.....S.i.g.[.3.]...N.a.m.e.=.P.r.o.b.l.e.m. .S.i.g.n.a.t.u.r.e. .0.4.....S.i.g.[.3.]...V.a.l.u.e.=.P.h.u.l.l.i.....S.i.g.[.4.]...
                                                                                C:\Users\user\AppData\Local\Temp\CabAB00.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                Category:dropped
                                                                                Size (bytes):59134
                                                                                Entropy (8bit):7.995450161616763
                                                                                Encrypted:true
                                                                                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                C:\Users\user\AppData\Local\Temp\SysInfo.txt
                                                                                Process:C:\Users\user\Desktop\Sample_B.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):35
                                                                                Entropy (8bit):4.226150431961057
                                                                                Encrypted:false
                                                                                SSDEEP:3:oNSzORW2EM:oNSzOA2v
                                                                                MD5:6A5A5B0A44E4EB0E35D0ED1ED597CB58
                                                                                SHA1:1EAE2A59836272E8B62BD8AF9F231E5FF23BC8AB
                                                                                SHA-256:A4DB033255E7CEDD4E48A95805F033DD9A3A1AF789440EB627878C1C944C7483
                                                                                SHA-512:F21D968FE9400557E881BA3C354073659AA68E0B30D4485D519887ACF62A699730CE59B701D9245056D629C0D25C7F117E64A313B7CE37B6C6737FD9BD6E655F
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview: C:\Users\user\Desktop\Sample_B.exe
                                                                                C:\Users\user\AppData\Local\Temp\TarAB01.tmp
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):152788
                                                                                Entropy (8bit):6.316654432555028
                                                                                Encrypted:false
                                                                                SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                                                                                MD5:64FEDADE4387A8B92C120B21EC61E394
                                                                                SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                                                                                SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                                                                                SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                C:\Users\user\AppData\Local\Temp\WERA42C.tmp.WERInternalMetadata.xml
                                                                                Process:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):2626
                                                                                Entropy (8bit):3.657382504384408
                                                                                Encrypted:false
                                                                                SSDEEP:48:yeRipPp6uhzrkG/wU6Gww7VxpAFgYkbkiQG5zepMVOfyi+Sqw+PjsMS+MbPx2xSQ:Shz4tU6o7VxBt33tJ3uE3
                                                                                MD5:BB7B91CA690F827AF3B229CB8B174191
                                                                                SHA1:6749797C84D4B0B279BD6C887B07CB16ECD9D156
                                                                                SHA-256:A7DD4AC1387116D03AC3C70E3074DCAB3E3B8EB864E2304195F86F1B81923575
                                                                                SHA-512:ADA582C7A441E85028A09DB2DD2C092D0AD67A0CC69BAE00BAD0ED3A2188DC88A1CCBAC6822AE9BA558CE2B7DAEA7C4666AF907EA2BF2AB7AD0A2B55E1820176
                                                                                Malicious:false
                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.6...1.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.7.6.0.1. .S.e.r.v.i.c.e. .P.a.c.k. .1.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .7. .P.r.o.f.e.s.s.i.o.n.a.l.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.7.6.0.1...2.3.6.7.7...a.m.d.6.4.f.r.e...w.i.n.7.s.p.1._.l.d.r...1.7.0.2.0.9.-.0.6.0.0.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.3.0.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.b.l.e.m.S.i.g.n.a.t.u.
                                                                                C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                Process:C:\Users\user\Desktop\Sample_B.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):533504
                                                                                Entropy (8bit):6.5061470317531676
                                                                                Encrypted:false
                                                                                SSDEEP:6144:1ulqe1RKbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9e:MRKQtqB5urTIoYWBQk1E+VF9mOx9Oi
                                                                                MD5:78300BD48D50FA7E5F3F6A933CC5F739
                                                                                SHA1:03157F27B0D5141465ADEEAF9B3A7B5F3E60F614
                                                                                SHA-256:424212E76C0E660538EE49126079980B34F4DD343E002004F67EA71A937AF5E3
                                                                                SHA-512:18B015CA0B4DE297195E97BA95872C1485FE55A1D89B7FBDD82769A912E0FBB3825975105E5712356FFED525516D7EF3F482F46CE873E9B4315956F2E2A491E7
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: JPCERT/CC Incident Response Group
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@.....................................W.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`......."..............@..B........................H.......0}..d..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                C:\Users\user\AppData\Roaming\Windows Update.exe:Zone.Identifier
                                                                                Process:C:\Users\user\Desktop\Sample_B.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe
                                                                                Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):533504
                                                                                Entropy (8bit):6.5061470317531676
                                                                                Encrypted:false
                                                                                SSDEEP:6144:1ulqe1RKbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9e:MRKQtqB5urTIoYWBQk1E+VF9mOx9Oi
                                                                                MD5:78300BD48D50FA7E5F3F6A933CC5F739
                                                                                SHA1:03157F27B0D5141465ADEEAF9B3A7B5F3E60F614
                                                                                SHA-256:424212E76C0E660538EE49126079980B34F4DD343E002004F67EA71A937AF5E3
                                                                                SHA-512:18B015CA0B4DE297195E97BA95872C1485FE55A1D89B7FBDD82769A912E0FBB3825975105E5712356FFED525516D7EF3F482F46CE873E9B4315956F2E2A491E7
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: JPCERT/CC Incident Response Group
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@.....................................W.... ...2...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc....2... ...2..................@..@.reloc.......`......."..............@..B........................H.......0}..d..............X...........................................2s..........*....0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(.........*...................0.. .........(....(..........(.....o......*....................(......(.......o.......o.......o.......o......*.R..(....o....o......
                                                                                C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier
                                                                                Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:true
                                                                                Preview: [ZoneTransfer]....ZoneId=0
                                                                                C:\Users\user\AppData\Roaming\pid.txt
                                                                                Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):4
                                                                                Entropy (8bit):2.0
                                                                                Encrypted:false
                                                                                SSDEEP:3:8:8
                                                                                MD5:4EBD440D99504722D80DE606EA8507DA
                                                                                SHA1:53127AFA9428C4B39465D8FAFFEA4891967FDD3D
                                                                                SHA-256:BA977EDD7884F62CD595D30DC746605253AC8E5700B135AD515AAC7ADAFA512C
                                                                                SHA-512:8F474385AB39E7D6E2A314C91E0452F23BFE19F4E79739D8DAA8E6B1187AB289562EBA6795834CA4744C6EF000CEBA41D0448DADFA233AE332BA89EF03E2B9E3
                                                                                Malicious:false
                                                                                Preview: 2360
                                                                                C:\Users\user\AppData\Roaming\pidloc.txt
                                                                                Process:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):49
                                                                                Entropy (8bit):4.505229681327448
                                                                                Encrypted:false
                                                                                SSDEEP:3:oNXp4EaKC59KYr4a:oNPaZ534a
                                                                                MD5:08300E5B4297843953DCBA97B84FC23F
                                                                                SHA1:0B3D9411DED86F59DAF4BD11A563357DE2BDFB1E
                                                                                SHA-256:6903CCA5237DD33175367A846A971979FF15CC5823135182E00A57F69A856C9A
                                                                                SHA-512:8C9124CC2258559A2377EB95EC9EB400EE568A133F946FDF7F69BB42A081DA90DFC7F2C544FBDD01AF6A4C235CAF654A0044ACE00835F91FCCDDDAF5F7F579E9
                                                                                Malicious:false
                                                                                Preview: C:\Users\user\AppData\Roaming\Windows Update.exe

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):6.5061470317531676
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.69%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.65%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • InstallShield setup (43055/19) 0.21%
                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                File name:Sample_B.exe
                                                                                File size:533504
                                                                                MD5:78300bd48d50fa7e5f3f6a933cc5f739
                                                                                SHA1:03157f27b0d5141465adeeaf9b3a7b5f3e60f614
                                                                                SHA256:424212e76c0e660538ee49126079980b34f4dd343e002004f67ea71a937af5e3
                                                                                SHA512:18b015ca0b4de297195e97ba95872c1485fe55a1d89b7fbdd82769a912e0fbb3825975105e5712356ffed525516d7ef3f482f46ce873e9b4315956f2e2a491e7
                                                                                SSDEEP:6144:1ulqe1RKbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9e:MRKQtqB5urTIoYWBQk1E+VF9mOx9Oi
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.....................4........... ........@.. ....................................@................................

                                                                                File Icon

                                                                                Icon Hash:41455554545445a2

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x480dee
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                Time Stamp:0x6016C109 [Sun Jan 31 14:39:05 2021 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:v2.0.50727
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x80d940x57.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x3200.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x7edf40x7ee00False0.572546567118data6.53992282183IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x820000x32000x3200False0.105390625data3.5876692887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x860000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountry
                                                                                RT_ICON0x824f00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 4286019447
                                                                                RT_ICON0x827d80x128GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0x829000x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                RT_ICON0x831a80x568GLS_BINARY_LSB_FIRST
                                                                                RT_ICON0x837100x353PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                RT_ICON0x83a680x10a8data
                                                                                RT_ICON0x84b100x468GLS_BINARY_LSB_FIRST
                                                                                RT_GROUP_ICON0x84f780x68data
                                                                                RT_VERSION0x822500x2a0data
                                                                                RT_MANIFEST0x84fe00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Version Infos

                                                                                DescriptionData
                                                                                Translation0x0000 0x04b0
                                                                                LegalCopyrightCopyright 2014
                                                                                Assembly Version1.0.0.0
                                                                                InternalNamePhulli.exe
                                                                                FileVersion1.0.0.0
                                                                                ProductNamePhulli
                                                                                ProductVersion1.0.0.0
                                                                                FileDescriptionPhulli
                                                                                OriginalFilenamePhulli.exe

                                                                                Network Behavior

                                                                                Snort IDS Alerts

                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                02/17/21-14:15:57.240377TCP1201ATTACK-RESPONSES 403 Forbidden8049167104.16.155.36192.168.2.22

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Feb 17, 2021 14:15:57.146359921 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:57.187491894 CET8049167104.16.155.36192.168.2.22
                                                                                Feb 17, 2021 14:15:57.187669992 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:57.188503981 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:57.229413033 CET8049167104.16.155.36192.168.2.22
                                                                                Feb 17, 2021 14:15:57.240376949 CET8049167104.16.155.36192.168.2.22
                                                                                Feb 17, 2021 14:15:57.445694923 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:58.263657093 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:58.304943085 CET8049167104.16.155.36192.168.2.22
                                                                                Feb 17, 2021 14:15:58.305743933 CET4916780192.168.2.22104.16.155.36
                                                                                Feb 17, 2021 14:15:58.591355085 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:58.643999100 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.644090891 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:58.753774881 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.768049955 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:58.820581913 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.823973894 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.825731993 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:58.878711939 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:58.978893995 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.032215118 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.032260895 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.032417059 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.050864935 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.103605032 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.300400972 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.548762083 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.601639032 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.603857994 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.656851053 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.658803940 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:15:59.716787100 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.991312027 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:15:59.991817951 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.044337034 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.044538975 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.044905901 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.097799063 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.099353075 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.157800913 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.401359081 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.404243946 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.404728889 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.405162096 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.405478001 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:00.457525969 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.457547903 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.457556963 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.457802057 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:00.896564007 CET5874916866.102.1.108192.168.2.22
                                                                                Feb 17, 2021 14:16:01.110186100 CET49168587192.168.2.2266.102.1.108
                                                                                Feb 17, 2021 14:16:17.157942057 CET49168587192.168.2.2266.102.1.108

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Feb 17, 2021 14:15:56.602780104 CET5219753192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:56.659929991 CET53521978.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:57.036444902 CET5309953192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:57.088181019 CET53530998.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:58.301774025 CET5283853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:58.366976023 CET53528388.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:58.371413946 CET5283853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:58.437342882 CET53528388.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:58.455055952 CET5283853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:58.511831045 CET53528388.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:15:58.518007994 CET5283853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:15:58.580215931 CET53528388.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:00.139292002 CET6120053192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:00.199146986 CET53612008.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:00.212182999 CET4954853192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:00.263868093 CET53495488.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:01.086823940 CET5562753192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:01.135674953 CET53556278.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:01.143835068 CET5600953192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:01.195561886 CET53560098.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:01.475300074 CET6186553192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:01.542368889 CET53618658.8.8.8192.168.2.22
                                                                                Feb 17, 2021 14:16:01.552608967 CET5517153192.168.2.228.8.8.8
                                                                                Feb 17, 2021 14:16:01.611363888 CET53551718.8.8.8192.168.2.22

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                Feb 17, 2021 14:15:56.602780104 CET192.168.2.228.8.8.80x26aeStandard query (0)163.190.5.0.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                                                Feb 17, 2021 14:15:57.036444902 CET192.168.2.228.8.8.80x80acStandard query (0)whatismyipaddress.comA (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.301774025 CET192.168.2.228.8.8.80xdcd3Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.371413946 CET192.168.2.228.8.8.80xdcd3Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.455055952 CET192.168.2.228.8.8.80xdcd3Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.518007994 CET192.168.2.228.8.8.80xdcd3Standard query (0)smtp.gmail.comA (IP address)IN (0x0001)

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                Feb 17, 2021 14:15:56.659929991 CET8.8.8.8192.168.2.220x26aeName error (3)163.190.5.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)
                                                                                Feb 17, 2021 14:15:57.088181019 CET8.8.8.8192.168.2.220x80acNo error (0)whatismyipaddress.com104.16.155.36A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:57.088181019 CET8.8.8.8192.168.2.220x80acNo error (0)whatismyipaddress.com104.16.154.36A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.366976023 CET8.8.8.8192.168.2.220xdcd3No error (0)smtp.gmail.com66.102.1.108A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.437342882 CET8.8.8.8192.168.2.220xdcd3No error (0)smtp.gmail.com66.102.1.108A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.511831045 CET8.8.8.8192.168.2.220xdcd3No error (0)smtp.gmail.com66.102.1.108A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:15:58.580215931 CET8.8.8.8192.168.2.220xdcd3No error (0)smtp.gmail.com66.102.1.108A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:16:01.135674953 CET8.8.8.8192.168.2.220x92f1No error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:16:01.135674953 CET8.8.8.8192.168.2.220x92f1No error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:16:01.195561886 CET8.8.8.8192.168.2.220x1175No error (0)cdn.digicertcdn.com104.18.11.39A (IP address)IN (0x0001)
                                                                                Feb 17, 2021 14:16:01.195561886 CET8.8.8.8192.168.2.220x1175No error (0)cdn.digicertcdn.com104.18.10.39A (IP address)IN (0x0001)

                                                                                HTTP Request Dependency Graph

                                                                                • whatismyipaddress.com

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                0192.168.2.2249167104.16.155.3680C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                TimestampkBytes transferredDirectionData
                                                                                Feb 17, 2021 14:15:57.188503981 CET0OUTGET / HTTP/1.1
                                                                                Host: whatismyipaddress.com
                                                                                Connection: Keep-Alive
                                                                                Feb 17, 2021 14:15:57.240376949 CET1INHTTP/1.1 403 Forbidden
                                                                                Date: Wed, 17 Feb 2021 13:15:57 GMT
                                                                                Content-Type: text/plain; charset=UTF-8
                                                                                Content-Length: 16
                                                                                Connection: keep-alive
                                                                                X-Frame-Options: SAMEORIGIN
                                                                                Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                Set-Cookie: __cfduid=df511a3b29767e188cc5ceb9545d8c6061613567757; expires=Fri, 19-Mar-21 13:15:57 GMT; path=/; domain=.whatismyipaddress.com; HttpOnly; SameSite=Lax; Secure
                                                                                cf-request-id: 0851bb23a500004a8588a22000000001
                                                                                Server: cloudflare
                                                                                CF-RAY: 622fc7b2aa474a85-FRA
                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 32 30
                                                                                Data Ascii: error code: 1020


                                                                                SMTP Packets

                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                Feb 17, 2021 14:15:58.753774881 CET5874916866.102.1.108192.168.2.22220 smtp.gmail.com ESMTP c3sm3856483wrr.29 - gsmtp
                                                                                Feb 17, 2021 14:15:58.768049955 CET49168587192.168.2.2266.102.1.108EHLO 376483
                                                                                Feb 17, 2021 14:15:58.823973894 CET5874916866.102.1.108192.168.2.22250-smtp.gmail.com at your service, [84.17.52.38]
                                                                                250-SIZE 35882577
                                                                                250-8BITMIME
                                                                                250-STARTTLS
                                                                                250-ENHANCEDSTATUSCODES
                                                                                250-PIPELINING
                                                                                250-CHUNKING
                                                                                250 SMTPUTF8
                                                                                Feb 17, 2021 14:15:58.825731993 CET49168587192.168.2.2266.102.1.108STARTTLS
                                                                                Feb 17, 2021 14:15:58.878711939 CET5874916866.102.1.108192.168.2.22220 2.0.0 Ready to start TLS

                                                                                Code Manipulations

                                                                                Statistics

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                Analysis Process: Sample_B.exe PID: 2368 Parent PID: 2956

                                                                                General

                                                                                Start time:14:15:32
                                                                                Start date:17/02/2021
                                                                                Path:C:\Users\user\Desktop\Sample_B.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\Desktop\Sample_B.exe'
                                                                                Imagebase:0xbc0000
                                                                                File size:533504 bytes
                                                                                MD5 hash:78300BD48D50FA7E5F3F6A933CC5F739
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000002.2076206862.0000000000BC2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000000.2069232329.0000000000BC2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                Reputation:low

                                                                                Analysis Process: Windows Update.exe PID: 2360 Parent PID: 2368

                                                                                General

                                                                                Start time:14:15:35
                                                                                Start date:17/02/2021
                                                                                Path:C:\Users\user\AppData\Roaming\Windows Update.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:'C:\Users\user\AppData\Roaming\Windows Update.exe'
                                                                                Imagebase:0xee0000
                                                                                File size:533504 bytes
                                                                                MD5 hash:78300BD48D50FA7E5F3F6A933CC5F739
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:.Net C# or VB.NET
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.2112965167.0000000003610000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.2112485117.0000000003371000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.2111753690.0000000000EE2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000002.00000002.2113607102.00000000046F0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000000.2075201287.0000000000EE2000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000003.2082749506.00000000054A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: 00000002.00000002.2113562918.00000000046E0000.00000004.00000001.sdmp, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000002.00000002.2111820758.0000000002371000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                • Rule: HKTL_NET_GUID_Stealer, Description: Detects c# red/black-team tools via typelibguid, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Arnim Rupp
                                                                                • Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net>
                                                                                • Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security
                                                                                • Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: JPCERT/CC Incident Response Group
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                Reputation:low

                                                                                Analysis Process: dw20.exe PID: 2932 Parent PID: 2360

                                                                                General

                                                                                Start time:14:15:38
                                                                                Start date:17/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:dw20.exe -x -s 1708
                                                                                Imagebase:0x10000000
                                                                                File size:33936 bytes
                                                                                MD5 hash:FBA78261A16C65FA44145613E3669E6E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Analysis Process: vbc.exe PID: 2852 Parent PID: 2360

                                                                                General

                                                                                Start time:14:15:41
                                                                                Start date:17/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
                                                                                Imagebase:0x400000
                                                                                File size:1170056 bytes
                                                                                MD5 hash:1672D0478049ABDAF0197BE64A7F867F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Analysis Process: vbc.exe PID: 2816 Parent PID: 2360

                                                                                General

                                                                                Start time:14:15:42
                                                                                Start date:17/02/2021
                                                                                Path:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
                                                                                Imagebase:0x400000
                                                                                File size:1170056 bytes
                                                                                MD5 hash:1672D0478049ABDAF0197BE64A7F867F
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate

                                                                                Disassembly

                                                                                Code Analysis

                                                                                Reset < >