Windows Analysis Report Costa Order.exe

Overview

General Information

Sample Name: Costa Order.exe
Analysis ID: 453873
MD5: bc4e444c2dd7463dc563119593bc7764
SHA1: d54092772dd1d8ca8b20b84f44e0931d089d79d7
SHA256: fd95b0eb1d2a5650592de694cda956d9dcf0b1c3312fcb3273571f858762ae15
Tags: exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Launches processes in debugging mode, may be used to hinder debugging
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Virustotal: Detection: 46% Perma Link
Source: C:\Users\user\AppData\Roaming\Windows Update.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Virustotal: Detection: 46% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted file
Source: Costa Order.exe Virustotal: Detection: 46% Perma Link
Source: Costa Order.exe ReversingLabs: Detection: 28%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Costa Order.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.Costa Order.exe.3dbbd60.2.unpack Avira: Label: TR/Inject.vcoldi
Source: 24.2.Windows Update.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 24.2.Windows Update.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 24.0.Windows Update.exe.400000.15.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 24.0.Windows Update.exe.400000.15.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 10.2.Costa Order.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 10.2.Costa Order.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 24.0.Windows Update.exe.400000.1.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 24.0.Windows Update.exe.400000.1.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 17.2.Windows Update.exe.415bd60.2.unpack Avira: Label: TR/Inject.vcoldi

Compliance:

barindex
Uses 32bit PE files
Source: Costa Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Costa Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Xml.ni.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: Microsoft.VisualBasic.pdb8 source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Configuration.ni.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: Windows Update.PDB source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: CMemoryExecute.pdb! source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Configuration.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Configuration.pdbq source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Xml.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: CMemoryExecute.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: CMemoryExecute.pdbl source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Core.ni.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Windows.Forms.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: (P[j0C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp, WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Drawing.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Management.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: mscorlib.ni.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000002.421747814.0000000002D31000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Core.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Xml.pdbD source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: .pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WERBEB5.tmp.dmp.31.dr

Spreading:

barindex
May infect USB drives
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then jmp 0510A630h 24_2_0510A559
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then jmp 0510A630h 24_2_0510A568
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 24_2_05109EF5
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 24_2_05102B75
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 24_2_05109A2D
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 0000001C.00000003.392509027.000000000063C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
Source: vbc.exe, 0000001C.00000003.392509027.000000000063C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: 54.229.13.0.in-addr.arpa
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Windows Update.exe, 00000018.00000002.422390459.0000000003173000.00000004.00000001.sdmp String found in binary or memory: http://safeconnectplus.com
Source: Costa Order.exe, 0000000A.00000002.293093252.0000000002DD1000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vbc.exe, 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Windows Update.exe, 00000018.00000000.389603296.0000000002D5E000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Costa Order.exe, 00000002.00000002.294190507.0000000006D62000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.296586106.0000000006070000.00000002.00000001.sdmp, Windows Update.exe, 00000011.00000002.378151129.0000000006050000.00000002.00000001.sdmp, Windows Update.exe, 00000018.00000000.402794264.0000000005E10000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.475850095.00000000061D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.475759229.00000000058C0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
Contains functionality to log keystrokes (.Net Source)
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Creates a DirectInput object (often for capturing keystrokes)
Source: Costa Order.exe, 00000002.00000002.281981949.0000000001070000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: Costa Order.exe, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: 2.2.Costa Order.exe.8c0000.0.unpack, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: 2.0.Costa Order.exe.8c0000.0.unpack, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: 9.2.Costa Order.exe.b0000.0.unpack, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: 9.0.Costa Order.exe.b0000.0.unpack, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: Windows Update.exe.10.dr, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: 10.0.Costa Order.exe.9b0000.0.unpack, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: 10.2.Costa Order.exe.9b0000.4.unpack, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: 17.0.Windows Update.exe.bf0000.0.unpack, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Source: WindowsUpdate.exe.24.dr, Model.Enemy/Helis/SmallHeli.cs Long String: Length: 32771
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Costa Order.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_008C2050 2_2_008C2050
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_01317B20 2_2_01317B20
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C812D0 2_2_02C812D0
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C83ABD 2_2_02C83ABD
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C81010 2_2_02C81010
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C812C1 2_2_02C812C1
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C8290B 2_2_02C8290B
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C826EC 2_2_02C826EC
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C83C22 2_2_02C83C22
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C80D41 2_2_02C80D41
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056BDDE8 2_2_056BDDE8
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B0D30 2_2_056B0D30
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056BADA0 2_2_056BADA0
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056BB428 2_2_056BB428
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056BB648 2_2_056BB648
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B5168 2_2_056B5168
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056BB870 2_2_056BB870
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B0040 2_2_056B0040
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B7851 2_2_056B7851
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B7030 2_2_056B7030
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B0006 2_2_056B0006
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B70C0 2_2_056B70C0
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056BA250 2_2_056BA250
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056BE2E0 2_2_056BE2E0
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B1AB8 2_2_056B1AB8
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_056B8299 2_2_056B8299
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 9_2_000B2050 9_2_000B2050
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_009B2050 10_2_009B2050
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1B29C 10_2_02C1B29C
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1C565 10_2_02C1C565
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1C568 10_2_02C1C568
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C199D0 10_2_02C199D0
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1DFD3 10_2_02C1DFD3
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_07673B53 10_2_07673B53
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_07670006 10_2_07670006
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_07670040 10_2_07670040
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_00BF2050 17_2_00BF2050
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_012E7B20 17_2_012E7B20
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_012E7B11 17_2_012E7B11
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_017112D0 17_2_017112D0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_0171290B 17_2_0171290B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_01712860 17_2_01712860
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_01712850 17_2_01712850
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_017112C1 17_2_017112C1
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_01710D50 17_2_01710D50
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_01710D41 17_2_01710D41
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_055F34D5 17_2_055F34D5
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_055F10B0 17_2_055F10B0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_055F1A58 17_2_055F1A58
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_055F1A68 17_2_055F1A68
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_00752050 24_2_00752050
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_010EB29C 24_2_010EB29C
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_010EC310 24_2_010EC310
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_010EB29A 24_2_010EB29A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_010E99D0 24_2_010E99D0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_010EDFD0 24_2_010EDFD0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_06F3C498 24_2_06F3C498
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_06F3C150 24_2_06F3C150
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_06F3CD68 24_2_06F3CD68
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_06F30031 24_2_06F30031
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_06F37D20 24_2_06F37D20
One or more processes crash
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
Sample file is different than original file name gathered from version info
Source: Costa Order.exe Binary or memory string: OriginalFilename vs Costa Order.exe
Source: Costa Order.exe, 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs Costa Order.exe
Source: Costa Order.exe, 00000002.00000002.281533964.00000000008C2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameuTW04.exe< vs Costa Order.exe
Source: Costa Order.exe, 00000002.00000002.281981949.0000000001070000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Costa Order.exe
Source: Costa Order.exe, 00000002.00000002.282732245.0000000002D31000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Costa Order.exe
Source: Costa Order.exe, 00000002.00000002.296012823.0000000007320000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Costa Order.exe
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Costa Order.exe
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Costa Order.exe
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Costa Order.exe
Source: Costa Order.exe Binary or memory string: OriginalFilename vs Costa Order.exe
Source: Costa Order.exe, 00000009.00000000.279148755.00000000000B2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameuTW04.exe< vs Costa Order.exe
Source: Costa Order.exe Binary or memory string: OriginalFilename vs Costa Order.exe
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Costa Order.exe
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Costa Order.exe
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Costa Order.exe
Source: Costa Order.exe, 0000000A.00000000.280632565.00000000009B2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameuTW04.exe< vs Costa Order.exe
Source: Costa Order.exe, 0000000A.00000002.291791878.0000000000482000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Costa Order.exe
Source: Costa Order.exe, 0000000A.00000002.297903198.0000000007270000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Costa Order.exe
Source: Costa Order.exe Binary or memory string: OriginalFilenameuTW04.exe< vs Costa Order.exe
Uses 32bit PE files
Source: Costa Order.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 24.2.Windows Update.exe.7d50000.12.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.7d50000.27.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Windows Update.exe.7d20000.11.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.2fc4dd4.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.7d20000.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.7d20000.26.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Costa Order.exe.2e2d2a8.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.2d33cdc.21.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.7d50000.14.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.2fc0168.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.2d4d404.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.Windows Update.exe.2d33cdc.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.429765718.0000000007D50000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000000.398220515.0000000007D50000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000002.429705433.0000000007D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000000.406136458.0000000007D50000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000000.406053049.0000000007D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000018.00000000.398164830.0000000007D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: Costa Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Windows Update.exe.10.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WindowsUpdate.exe.24.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'UdRPb9QMBtDQ7GBdCKnbF6Xtf3+nKb0F9ck5q4dNxt+WHP0YcHC0Yw+eq34OWfWd', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@19/14@2/2
Source: C:\Users\user\Desktop\Costa Order.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Costa Order.exe.log Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Mutant created: \Sessions\1\BaseNamedObjects\PfnKizGbmo
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4848
Source: C:\Users\user\Desktop\Costa Order.exe File created: C:\Users\user\AppData\Local\Temp\SysInfo.txt Jump to behavior
Source: Costa Order.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Costa Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Costa Order.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Costa Order.exe Virustotal: Detection: 46%
Source: Costa Order.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\Costa Order.exe File read: C:\Users\user\Desktop\Costa Order.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Costa Order.exe 'C:\Users\user\Desktop\Costa Order.exe'
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\Desktop\Costa Order.exe {path}
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\Desktop\Costa Order.exe {path}
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe {path}
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\Desktop\Costa Order.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\Desktop\Costa Order.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024 Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Costa Order.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: Costa Order.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Costa Order.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Xml.ni.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: Microsoft.VisualBasic.pdb8 source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: Accessibility.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Configuration.ni.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: Windows Update.PDB source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: CMemoryExecute.pdb! source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Configuration.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Configuration.pdbq source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Xml.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: CMemoryExecute.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: CMemoryExecute.pdbl source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Core.ni.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Windows.Forms.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: (P[j0C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp, WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Drawing.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Management.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: mscorlib.ni.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000002.421747814.0000000002D31000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: System.Core.pdb source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, Windows Update.exe, 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, vbc.exe, 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Xml.pdbD source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: .pdb source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WERBEB5.tmp.dmp.31.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb+ source: Windows Update.exe, 00000018.00000000.406282298.00000000080BA000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WERBEB5.tmp.dmp.31.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Costa Order.exe, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.2.Costa Order.exe.8c0000.0.unpack, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.Costa Order.exe.8c0000.0.unpack, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.2.Costa Order.exe.b0000.0.unpack, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 9.0.Costa Order.exe.b0000.0.unpack, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: Windows Update.exe.10.dr, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.Costa Order.exe.9b0000.0.unpack, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.2.Costa Order.exe.9b0000.4.unpack, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 17.0.Windows Update.exe.bf0000.0.unpack, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: WindowsUpdate.exe.24.dr, MainConsole.cs .Net Code: X_123123454363 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_0131C462 push 78013AC1h; ret 2_2_0131C46D
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C8690D push FFFFFF8Bh; iretd 2_2_02C8690F
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 2_2_02C837B0 pushad ; retf 2_2_02C837B1
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C16A64 pushfd ; retf 10_2_02C1AC32
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C199B0 pushfd ; retf 10_2_02C1AE2A
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C141E3 push edi; retf 0002h 10_2_02C141F2
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C16468 pushad ; retf 10_2_02C1646E
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1AE2B pushfd ; retf 10_2_02C1AE32
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1ACE0 pushfd ; retf 10_2_02C1ACE2
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1AC93 pushfd ; retf 10_2_02C1AC9A
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1AC53 pushfd ; retf 10_2_02C1AC5A
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1AC33 pushfd ; retf 10_2_02C1AC3A
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1AC3B pushfd ; retf 10_2_02C1AC52
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C1AD30 pushfd ; retf 10_2_02C1AD32
Source: C:\Users\user\Desktop\Costa Order.exe Code function: 10_2_02C137A8 push eax; retf 10_2_02C137A9
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_0171394E pushad ; retf 17_2_01713951
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_01714138 push esp; iretd 17_2_01714139
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 17_2_0171682E push dword ptr [edx+ebp*2-75h]; iretd 17_2_01716837
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_010EE672 push esp; ret 24_2_010EE679
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_051050E0 push eax; ret 24_2_051050F3
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_0510AC12 pushfd ; ret 24_2_0510AC21
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_0510FC04 push E801005Eh; ret 24_2_0510FC09
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 24_2_051049E2 pushfd ; retf 24_2_05104A78
Source: initial sample Static PE information: section name: .text entropy: 7.52415197503
Source: initial sample Static PE information: section name: .text entropy: 7.52415197503
Source: initial sample Static PE information: section name: .text entropy: 7.52415197503

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Costa Order.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Deletes itself after installation
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File deleted: c:\users\user\desktop\costa order.exe Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Costa Order.exe, 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmp, Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Costa Order.exe, 00000002.00000002.282796808.0000000002D86000.00000004.00000001.sdmp, Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Costa Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window / User API: threadDelayed 582 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Costa Order.exe TID: 5080 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe TID: 1240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe TID: 808 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1932 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 2576 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 4332 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5044 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5096 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5148 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596 Thread sleep time: -93867s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596 Thread sleep time: -93725s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3596 Thread sleep time: -93561s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Costa Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 140000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 93867 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 93725 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 93561 Jump to behavior
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Windows Update.exe, 00000011.00000002.371415386.0000000003126000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\Costa Order.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Costa Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024 Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 10.2.Costa Order.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 10.2.Costa Order.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Costa Order.exe Memory written: C:\Users\user\Desktop\Costa Order.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Users\user\AppData\Roaming\Windows Update.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\Desktop\Costa Order.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\Desktop\Costa Order.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2024 Jump to behavior
Source: Windows Update.exe, 00000018.00000000.389133849.0000000001690000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.469503230.0000000001D80000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.468754091.0000000001210000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Windows Update.exe, 00000018.00000000.389133849.0000000001690000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.469503230.0000000001D80000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.468754091.0000000001210000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Windows Update.exe, 00000018.00000000.389133849.0000000001690000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.469503230.0000000001D80000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.468754091.0000000001210000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Windows Update.exe, 00000018.00000000.389133849.0000000001690000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001E.00000002.469503230.0000000001D80000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000022.00000002.468754091.0000000001210000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Users\user\Desktop\Costa Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Users\user\Desktop\Costa Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Costa Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Users\user\AppData\Roaming\Windows Update.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Users\user\AppData\Roaming\Windows Update.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Costa Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Windows Update.exe, 00000018.00000002.428836960.0000000006F40000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
Yara detected MailPassView
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3cf9930.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.3cf9930.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3cf9930.23.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3cf9930.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.3cf9930.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3cf9930.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.422553167.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.390506676.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.391632234.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 24.0.Windows Update.exe.3d12370.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3cf9930.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.409c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.409c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc3b6d.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.3cf9930.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3d12370.22.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4163b6d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3d12370.22.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3d12370.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.3d12370.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.3cf9930.23.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.3d12370.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.401206826.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.422553167.0000000003CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.392923235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.391632234.0000000003CF9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1036, type: MEMORY

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Costa Order.exe, 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Costa Order.exe, 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Costa Order.exe, 0000000A.00000002.293093252.0000000002DD1000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000018.00000002.421747814.0000000002D31000.00000004.00000001.sdmp String found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000018.00000000.389603296.0000000002D5E000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp String found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
Yara detected HawkEye Keylogger
Source: Yara match File source: 24.2.Windows Update.exe.2d1b48c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.45fa72.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.17.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4162168.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc2168.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dc3b6d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.2d1b48c.20.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.4163b6d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Costa Order.exe.3dbbd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.Costa Order.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.409c0d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.0.Windows Update.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Windows Update.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.Windows Update.exe.415bd60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.291692224.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.372439964.00000000040D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.398709179.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.390450896.0000000002F92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.400476197.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.390489709.0000000002F9E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.419082031.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000000.387305782.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.284166366.0000000003D39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.421711586.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 4848, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 1328, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 453873 Sample: Costa Order.exe Startdate: 25/07/2021 Architecture: WINDOWS Score: 100 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 13 other signatures 2->62 9 Costa Order.exe 3 2->9         started        13 WindowsUpdate.exe 2->13         started        15 WindowsUpdate.exe 2->15         started        process3 file4 44 C:\Users\user\AppData\...\Costa Order.exe.log, ASCII 9->44 dropped 66 Injects a PE file into a foreign processes 9->66 17 Costa Order.exe 6 9->17         started        21 Costa Order.exe 9->21         started        68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 signatures5 process6 dnsIp7 50 192.168.2.1 unknown unknown 17->50 40 C:\Users\user\AppData\...\Windows Update.exe, PE32 17->40 dropped 42 C:\...\Windows Update.exe:Zone.Identifier, ASCII 17->42 dropped 23 Windows Update.exe 3 17->23         started        file8 process9 signatures10 64 Injects a PE file into a foreign processes 23->64 26 Windows Update.exe 1 6 23->26         started        process11 dnsIp12 52 safeconnectplus.com 192.185.106.46, 49743, 587 UNIFIEDLAYER-AS-1US United States 26->52 54 54.229.13.0.in-addr.arpa 26->54 46 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 26->46 dropped 48 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 26->48 dropped 72 Changes the view of files in windows explorer (hidden files and folders) 26->72 74 Deletes itself after installation 26->74 76 Writes to foreign memory regions 26->76 78 3 other signatures 26->78 31 vbc.exe 1 26->31         started        34 vbc.exe 13 26->34         started        36 WerFault.exe 26->36         started        38 WerFault.exe 26->38         started        file13 signatures14 process15 signatures16 80 Tries to steal Instant Messenger accounts or passwords 31->80 82 Tries to steal Mail credentials (via file access) 31->82 84 Tries to harvest and steal browser information (history, passwords, etc) 34->84
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.106.46
 safeconnectplus.com United States
46606 UNIFIEDLAYER-AS-1US false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
safeconnectplus.com 192.185.106.46 true
54.229.13.0.in-addr.arpa unknown unknown